The error
User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]
My role
{
"permissionsBoundary": {},
"roleName": "laravel-vapor-role",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:FilterLogEvents",
"logs:PutLogEvents",
"ssm:GetParameters",
"ssm:GetParameter",
"lambda:invokeFunction",
"s3:*",
"ses:*",
"sqs:*",
"dynamodb:*",
"route53domains:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
},
"name": "laravel-vapor-role-policy",
"type": "inline"
}
],
"trustedEntities": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
}
Advertisement
Answer
Your policy does not include route53:ChangeResourceRecordSets:
Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name
You only have "route53domains:*" permissions, but you don’t have route53:* nor route53:ChangeResourceRecordSets.
ChangeResourceRecordSets is from route53, not from route53domains.