UPDATE:
The problem was that I was not using the right zone Id in the POST, or for the alias target. The request format below works, but two key things are needed:
- You need to retrieve the zone ID for your domain from Route 53 first and then include that in your post to create the record set.
- In the AliasTarget, the HostedZoneID must match the Route 53 value from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region . Do not use your domain's zone ID. You must use the zone ID of the S3 endpoint from the reference document.
PROBLEM
I was getting AccessDenied ((403) Forbidden) when trying to upload a resource record set. What's made this so vexing is that different reference pages conflict with each other a bit on the exact structure and content of the request. I've tried many different formats and data element combinations.
The user has AmazonRoute53FullAccess, and I also added an in-line policy with additional granular Route 53 permissions (on all resources) just in case for some reason the FullAccess was missing something that's needed for this.
My scenario is that I have an S3 bucket (example.com) and am trying to set static web hosting. I created the zone programmatically with the same credentials, so I know that:
- My credentials work, at least partly, and
- There should be no question as to ownership since the same credentials created the zone as are trying to subsequently upload a record set to it.
I have used the following data, and have tried using both the actual ZoneID as seen in Route 53 as well as the bucket endpoint (see below).
REQUEST
<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
<ChangeBatch>
<Changes>
<Change>
<Action>UPSERT</Action>
<ResourceRecordSet>
<Name>example.com</Name>
<Type>A</Type>
<AliasTarget>
<HostedZoneId>S3ZoneID</HostedZoneId>
<DNSName>example.com.s3-website-us-east-1.amazonaws.com</DNSName>
<EvaluateTargetHealth>false</EvaluateTargetHealth>
</AliasTarget>
<HealthCheckID></HealthCheckID>
</ResourceRecordSet>
</Change>
</Changes>
</ChangeBatch>
</ChangeResourceRecordSetsRequest>
RESPONSE:
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2010-10-01/"><Error><Type>Sender</Type><Code>AccessDenied</Code><Message>User: arn:aws:iam::1234567890:user/[******] is not authorized to perform: ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/lofahasatehum.com</Message></Error><RequestId>6c871224-6859-11e9-b17f-799576e9e9c3</RequestId></ErrorResponse>
P.S. The actual domain isn't registered, but that shouldn't affect this operation.
Edited by: technonaut on Apr 28, 2019 6:48 AM