Skip to content
Advertisement

403 on ChangeResourceRecordSets despite the role having route53Domains:* in the policy

The error

User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]

My role

{
  "permissionsBoundary": {},
  "roleName": "laravel-vapor-role",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "ec2:CreateNetworkInterface",
              "ec2:DeleteNetworkInterface",
              "ec2:DescribeNetworkInterfaces",
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:FilterLogEvents",
              "logs:PutLogEvents",
              "ssm:GetParameters",
              "ssm:GetParameter",
              "lambda:invokeFunction",
              "s3:*",
              "ses:*",
              "sqs:*",
              "dynamodb:*",
              "route53domains:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
      },
      "name": "laravel-vapor-role-policy",
      "type": "inline"
    }
  ],
  "trustedEntities": [
    "apigateway.amazonaws.com",
    "lambda.amazonaws.com"
  ]
}

Advertisement

Answer

Your policy does not include route53:ChangeResourceRecordSets:

Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name

You only have "route53domains:*" permissions, but you don’t have route53:* nor route53:ChangeResourceRecordSets.

ChangeResourceRecordSets is from route53, not from route53domains.

User contributions licensed under: CC BY-SA
10 People found this is helpful
Advertisement