Why changeResourceRecordSets gets not authorized to access this resource?

Question

I'm trying to create a new record in Route 53 of type Alias to tell Route 53 to sue CloudFront to serve the site. I'm trying to do this using the following code:

let options = {
    ChangeBatch: {
        Changes: [{
            Action: "CREATE",
            ResourceRecordSet: {
                AliasTarget: {
                    DNSName: '12kjh31k2hj3.cloudfront.net',
                    EvaluateTargetHealth: false,
                    HostedZoneId: 'JKEJWQHKJQWKK'
                },
                Name: 'example.com',
                Type: "A"
            }
        }],
        Comment: "S3 Hosted Site"
    },
    HostedZoneId: 'Z2FDTNDATAQYW2' // Fixed ID CloudFront distribution
};

route53.changeResourceRecordSets(options, function(error, data) {

    //
    //  1.  Check if there was an error
    //
    if(error)
    {
        return reject(error);
    }

    //
    //  -> Move to the next chain
    //
    return resolve(container);

});

When I run this I get:

AccessDenied: User: arn:aws:iam::1234567:user/cli_s3_hosting is not authorized to access this resource

If I use IAM Policy Simulator I have no issues as seen in the screenshot below.

I also tried to add AdminFullAccess and still I get the same error. What am I missing?

Answer 1

You have to swap the values of HostedZoneId's i.e. Z2FDTNDATAQYW2 should appear first and then your route53 hosted zone. The error is appearing since you are trying to change resource record set of the CF distribution hosted zone (Z2FDTNDATAQYW2) which does not belong to your account.