By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[SOLVED] AccessDenied on ChangeResourceRecordSets for S3 static website

0

UPDATE:
The problem was that I was not using the right zone Id in the POST, or for the alias target. The request format below works, but two key things are needed:

  1. You need to retrieve the zone ID for your domain from Route 53 first and then include that in your post to create the record set.
  2. In the AliasTarget, the HostedZoneID must match the Route 53 value from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region . Do not use your domain's zone ID. You must use the zone ID of the S3 endpoint from the reference document.

PROBLEM
I was getting AccessDenied ((403) Forbidden) when trying to upload a resource record set. What's made this so vexing is that different reference pages conflict with each other a bit on the exact structure and content of the request. I've tried many different formats and data element combinations.

The user has AmazonRoute53FullAccess, and I also added an in-line policy with additional granular Route 53 permissions (on all resources) just in case for some reason the FullAccess was missing something that's needed for this.

My scenario is that I have an S3 bucket (example.com) and am trying to set static web hosting. I created the zone programmatically with the same credentials, so I know that:

  1. My credentials work, at least partly, and
  2. There should be no question as to ownership since the same credentials created the zone as are trying to subsequently upload a record set to it.

I have used the following data, and have tried using both the actual ZoneID as seen in Route 53 as well as the bucket endpoint (see below).

REQUEST
<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
<ChangeBatch>
<Changes>
<Change>
<Action>UPSERT</Action>
<ResourceRecordSet>
<Name>example.com</Name>
<Type>A</Type>
<AliasTarget>
<HostedZoneId>S3ZoneID</HostedZoneId>
<DNSName>example.com.s3-website-us-east-1.amazonaws.com</DNSName>
<EvaluateTargetHealth>false</EvaluateTargetHealth>
</AliasTarget>
<HealthCheckID></HealthCheckID>
</ResourceRecordSet>
</Change>
</Changes>
</ChangeBatch>
</ChangeResourceRecordSetsRequest>

RESPONSE:
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2010-10-01/"><Error><Type>Sender</Type><Code>AccessDenied</Code><Message>User: arn:aws:iam::1234567890:user/[******] is not authorized to perform: ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/lofahasatehum.com</Message></Error><RequestId>6c871224-6859-11e9-b17f-799576e9e9c3</RequestId></ErrorResponse>

P.S. The actual domain isn't registered, but that shouldn't affect this operation.

Edited by: technonaut on Apr 28, 2019 6:48 AM

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
technonaut
asked 5 years ago1407 views
2 Answers
0

Details of the solution were added to the top of the post.

technonaut
answered 5 years ago
0

Just a note that the IAM username got mangled when posting so ignore that.

technonaut
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content