The error
User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]
My role
{ "permissionsBoundary": {}, "roleName": "laravel-vapor-role", "policies": [ { "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:FilterLogEvents", "logs:PutLogEvents", "ssm:GetParameters", "ssm:GetParameter", "lambda:invokeFunction", "s3:*", "ses:*", "sqs:*", "dynamodb:*", "route53domains:*" ], "Effect": "Allow", "Resource": "*" } ] }, "name": "laravel-vapor-role-policy", "type": "inline" } ], "trustedEntities": [ "apigateway.amazonaws.com", "lambda.amazonaws.com" ] }
Advertisement
Answer
Your policy does not include route53:ChangeResourceRecordSets:
Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name
You only have "route53domains:*"
permissions, but you don’t have route53:*
nor route53:ChangeResourceRecordSets
.
ChangeResourceRecordSets
is from route53
, not from route53domains
.