error during route53 private zon association for different vpc

This is a common error when associating a Route 53 Private Hosted Zone with a VPC that lives in a different AWS account. The key phrase in the error is "no resource-based policy allows the route53:AssociateVPCWithHostedZone action".

Here's what's happening and how to fix it:

Cross-Account Private Hosted Zone Association

When the VPC and the Private Hosted Zone are in different accounts, you need a two-step authorization process:

Step 1 — From the Hosted Zone account, create an authorization:

aws route53 create-vpc-association-authorization
--hosted-zone-id Z1234567890ABC
--vpc VPCRegion=<region>,VPCId=vpc-oooooooo

This grants the VPC's account permission to associate.

Step 2 — From the VPC account, perform the association:

aws route53 associate-vpc-with-hosted-zone
--hosted-zone-id Z1234567890ABC
--vpc VPCRegion=<region>,VPCId=vpc-oooooooo

Step 3 (cleanup) — From the Hosted Zone account, delete the authorization after association succeeds:

aws route53 delete-vpc-association-authorization
--hosted-zone-id Z1234567890ABC
--vpc VPCRegion=<region>,VPCId=vpc-oooooooo

If both are in the same account

Then the issue is IAM permissions. The role privatezone-as-AWS679f needs:

json { "Effect": "Allow", "Action": [ "route53:AssociateVPCWithHostedZone", "ec2:DescribeVpcs" ], "Resource": "*" }

The ec2:DescribeVpcs permission is also required for the association call to succeed.

• The authorization in Step 1 must be created before Step 2 — there's no resource-based policy on the hosted zone by default.
• If using CloudFormation/CDK, you may need a Custom Resource to handle the cross-account authorization flow since AWS::Route53::HostedZoneVPCAssociation doesn't natively support cross- account.
• The VPC must not already be associated with another private hosted zone that has the same domain name.