Terraform-provider-aws: aws_route53_zone import: AccessDenied

Created on 19 Mar 2018 · 11Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @hryamzik as hashicorp/terraform#17611. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

v0.11.3

Configuration

resource "aws_route53_zone" "test-com-public" {
    name       = "test.com"
    comment    = "HostedZone created by Route53 Registrar"

    tags {
    }
}

Output

$ terraform import aws_route53_zone.test-com-public SOMEZONEID
aws_route53_zone.test-com-public: Importing from ID "SOMEZONEID"...
aws_route53_zone.test-com-public: Import complete!
  Imported aws_route53_zone (ID: SOMEZONEID)
aws_route53_zone.test-com-public: Refreshing state... (ID: SOMEZONEID)

Error: aws_route53_zone.test-com-public (import id: SOMEZONEID): 1 error(s) occurred:

* import aws_route53_zone.test-com-public result: SOMEZONEID: aws_route53_zone.test-com-public: AccessDenied: User: arn:aws:iam::111111111111:user/[email protected] is not authorized to access this resource
    status code: 403, request id: SOMEID

I can't post trace log due to amount of data I have to strip. I get this error on account with multiple roles. terraforming r53z --tfstate works fine.

question servicroute53

Source

hashibot[bot]

Most helpful comment

@hryamzik you can ignore my request. It turns out my issue was likely unrelated. While attempting to import an existing Route53 record, I mistakenly used the Alias Hosted Zone ID (found on an individual record) instead of the Hosted Zone ID (found on the hosted zone).

dcalhoun on 19 Sep 2018

👍4 🎉3 ❤2 🚀1

All 11 comments

Hi @hryamzik sorry you're having trouble here. Can you please clarify what you mean here?

I get this error on account with multiple roles.

Does this mean you need to assume an IAM role from the credentials during import? To accomplish this, I believe you would need to set up a provider configuration with the assume_role configuration block set. If your AWS provider also has an alias configuration set, then during import add -provider=aws.ALIAS (where ALIAS is the alias name).

Hope this helps!

bflad on 19 Mar 2018

Hi @bflad! I have two accounts, one of them has role_arn statement in settings. Terraform works fine with both and I have a lot of things set up using both profiles. However when I tried to run import I faced this permission error. I don't have any issues importing with terraforming so it doesn't seem to be a configuration or permission issue.

hryamzik on 19 Mar 2018

I've talked to AWS support and they told me requests were made under main account (ignoring role_arn setting in profile). I'm going to hide user-related data from trace and put it here later today.

hryamzik on 22 Mar 2018

So looks like that's a duplicate for #758

hryamzik on 22 Mar 2018

This issue can be closed as a duplicate for several others.

hryamzik on 22 Mar 2018

@hryamzik okay thanks for the heads up, I'll close this issue then. 👍

bflad on 23 Mar 2018

@hryamzik did you ever find a workaround for this issue? I am also attempting to import an existing Route53 hosted zone and receiving permission errors.

dcalhoun on 19 Sep 2018

👍4 🎉3 ❤2 🚀1

Hi,
I've encountered the same behavior on the version 11.11

Error: Error refreshing state: 1 error(s) occurred:

aws_route53_zone.internal_zone: 1 error(s) occurred:

aws_route53_zone.internal_zone: aws_route53_zone.internal_zone: error getting Route53 Hosted Zone (AAAAAAAAAAAAAA): AccessDenied: User: arn:aws:iam::1111111111111:user/name.lastname is not authorized to access this resource
status code: 403, request id: 0e1691f3-1f47-11e9-a68f-65bae6df7e6b