
aws IAM role is not authorized to perform: route53:ListHostedZones

When I try to deploy terraform script using gitlab runner I am getting the following error

Error: Error finding Route 53 Hosted Zone: AccessDenied: User: arn:aws:sts::12345678:assumed-role/dev-runner/i-01b2f123f1e1a127c is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action

The IAM role that is attached to the runner has the following policy

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "*",
            "Resource": [                

What I am missing here? All the actions are allowed on arn:aws:route53:::* resource.


  • Try to check role with AWS Policy Simulator

    Here is

    This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.

    error is raising with your role.

    Resource should be "Resource": * to be able run ListHostedZones. However, in this case the permissions will be totally insecure, so I recommend to separate the statements:

        "Version": "2012-10-17",
        "Statement": [
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    ... any other specific permissions for R53 ...
                "Resource": "*"
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "*",
                "Resource": [                

    And just a personal opinion: using wildcard * actions without specifying at least services (route53:*) is not looking like a good idea