尽管角色在策略中具有route53Domains:*,但在ChangeResourceRecordSets上为403

编程问答 2022-08-16

问题描述

错误

User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]

我的角色

{
  "permissionsBoundary": {},"roleName": "laravel-vapor-role","policies": [
    {
      "document": {
        "Version": "2012-10-17","Statement": [
          {
            "Action": [
              "ec2:CreateNetworkInterface","ec2:DeleteNetworkInterface","ec2:DescribeNetworkInterfaces","logs:CreateLogGroup","logs:CreateLogStream","logs:FilterLogEvents","logs:PutLogEvents","ssm:GetParameters","ssm:GetParameter","lambda:invokeFunction","s3:*","ses:*","sqs:*","dynamodb:*","route53domains:*"
            ],"Effect": "Allow","Resource": "*"
          }
        ]
      },"name": "laravel-vapor-role-policy","type": "inline"
    }
  ],"trustedEntities": [
    "apigateway.amazonaws.com","lambda.amazonaws.com"
  ]
}

解决方法

您的策略不包括 route53:ChangeResourceRecordSets:

授予创建,更新或删除记录的权限,该记录包含指定域或子域名的权威DNS信息

您仅具有"route53domains:*"权限,但您没有 route53:*route53:ChangeResourceRecordSets

ChangeResourceRecordSets来自route53,而不是route53domains

amazon-route53amazon-web-services