Route53 getHostedZone AccessDenied. User doesn't have permission to call route53:GetHostedZone

Question

I'm creating an AWS Cloudformation stack in which I'm adding a recordset to an existing Route53 Hosted Zone. The resource is specified as follows (in YAML format):

DNS:
    Type: AWS::Route53::RecordSetGroup
    Properties:
        HostedZoneName: !Ref HostedZoneName
        Comment: Zone apex alias targeted to myELB LoadBalancer.
        RecordSets:
        - Name: !Join [ ".", ["alb", !Ref HostedZoneName]]
          Type: A
          AliasTarget:
              HostedZoneId: !Ref AliasTargetHostedZoneId
              DNSName: !Ref AliasTargetDNSName

HostedZoneName, AliasTargetHostedZoneId and AliasTargetDNSName are passed in as parameters.

The problem I have is that the stack will not create because of the permission error specified in the title. By default CloudFormation will use the permissions of the user creating the stack, me. I have got the AdministratorAccess policy, so I should be allowed to do everything, including all Route53 operations.

I've also tried creating the stack by passing an IAM role which also has the AdministratorAccess policy, which gave me the same error.

All other resources specified in the template (VPC, Loadbalancer, RDS,..) create without problems.

Answer 1

It's important to define and pass the correct HostedzoneId into the template.

As you're having admin privileges while executing the CloudFormation scripts, you should be able to add a recordset to a Route53 hosted zone in your account without specifying any additional roles / profiles.

However you need to ensure that the correct HostedzoneId is passed. This is typically done as either a String, or using the CanonicalHostedZoneID attribute of the load balancer.

When passing it as a string you'll need to ensure that the parameter type is of type string, and not AWS::Route53::HostedZone::Id