0

Trying to create an SSL certificate using Amazon Certificate Manager, as per here -

https://medium.com/swlh/aws-website-hosting-with-cloudformation-guide-36cac151d1af

I have a deployment user with the following policy -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:*",
                "s3:*",
                "route53:*",
                "acm:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

But when I deploy I get the following -

API: certificatemanager:changeResourceRecordSets User #{my_IAM_deploy_user} is not authorized to access this resource

How come I am getting this error despite acm:* access ?

(wondering if related to Why changeResourceRecordSets gets not authorized to access this resource? but can't see exactly how)

(Cloudformation template below)

---
AWSTemplateFormatVersion: '2010-09-09'
Description: cloudfront-route53-demo-cert
Parameters:
  DomainName:
    Type: String
  HostedZoneId:
    Type: String
    Default: Z1BKCTXD74EZPE  # eu-west-1; https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_website_region_endpoints
Outputs:
  CertificateARN:
    Value:
      Ref: Certificate  # returns ARN
Resources:
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName:
        Ref: DomainName
      DomainValidationOptions:
        - DomainName:
            Ref: DomainName
          HostedZoneId:
            Ref: HostedZoneId
      ValidationMethod: DNS
amitd
  • 1,497
  • 4
  • 11
Justin
  • 4,649
  • 6
  • 33
  • 71
  • `changeResourceRecordSets` is related to AWS Route 53. Is your AWS CFN template modifying AWS Route53 RecordSet? if yes, then your IAM user will need permission to perform action `route53:ChangeResourceRecordSets` – amitd Apr 06 '21 at 14:13
  • as shown above the IAM user has permissions for both `acm:*` and `route53:*` – Justin Apr 06 '21 at 14:27
  • Do you have modify access to HostedZoneId used here? – amitd Apr 06 '21 at 14:36
  • why would the template want to `ChangeResourceRecordSets` ? Is it because the record set is in `eu-west-1` but the certificate needs to be created in `us-east-1`, and the region needs to be changed ? – Justin Apr 06 '21 at 15:26

1 Answers1

0

I misunderstood what HostedZoneId was. I thought it was some kind of route53 region- specific singleton but (doh) turns out it just the id of a route53 HostedZone I had created. Kinda obvious really.

Justin
  • 4,649
  • 6
  • 33
  • 71
  • I am getting the exact same error in my stack... I don't see how your "Answer" really answered the question. Can you be more specific about what you did to eliminate the error, considering you already have full acm and route53 permissions? – KickinMhl Oct 26 '21 at 18:20
  • @KickinMhl You have to manually create a HostedZone in route53 and copy the HostedZoneId over. – Larry Apr 03 '23 at 01:57