Why changeResourceRecordSets gets not authorized to access this resource?

Question

I'm trying to create a new record in Route 53 of type Alias to tell Route 53 to sue CloudFront to serve the site. I'm trying to do this using the following code:

let options = {
    ChangeBatch: {
        Changes: [{
            Action: "CREATE",
            ResourceRecordSet: {
                AliasTarget: {
                    DNSName: '12kjh31k2hj3.cloudfront.net',
                    EvaluateTargetHealth: false,
                    HostedZoneId: 'JKEJWQHKJQWKK'
                },
                Name: 'example.com',
                Type: "A"
            }
        }],
        Comment: "S3 Hosted Site"
    },
    HostedZoneId: 'Z2FDTNDATAQYW2' // Fixed ID CloudFront distribution
};

route53.changeResourceRecordSets(options, function(error, data) {

    //
    //  1.  Check if there was an error
    //
    if(error)
    {
        return reject(error);
    }

    //
    //  -> Move to the next chain
    //
    return resolve(container);

});

When I run this I get:

AccessDenied: User: arn:aws:iam::1234567:user/cli_s3_hosting is not authorized to access this resource

If I use IAM Policy Simulator I have no issues as seen in the screenshot below.

I also tried to add AdminFullAccess and still I get the same error. What am I missing?

Answer 1

In my case, I am having admin access and still not authorized to run the command.

The reason was that I have MFA enabled on my AWS account and the same has to be done for aws-cli.

This article might help you in setting up the same.

Answer 2

Adding to the accepted answer, for anybody getting this error from the CLI:

aws route53 change-resource-record-sets --hosted-zone-id  ABCDEFGHIJKLM --change-batch file://wilcards.json    # this zone-id is for YOUR domain (eg my-domain.com.)

The HostedZoneId here is one from this page https://docs.aws.amazon.com/general/latest/gr/rande.html

{
    "Comment": "CREATE *.sub.my-domain.com. ",
    "Changes": [{
    "Action": "UPSERT",
            "ResourceRecordSet": {
                        "Name": "\\052.sub.my-domain.com.",
                        "Type": "A",
                    "AliasTarget": {
                        "HostedZoneId": "Z1H1FL5HABSF5",
                        "DNSName": "dualstack.my-elb-or-other-endpoint.aws-region.elb.amazonaws.com.",
                        "EvaluateTargetHealth": false
                    }
            }
    }]
}

Answer 3

You have to swap the values of HostedZoneId's i.e. Z2FDTNDATAQYW2 should appear first and then your route53 hosted zone. The error is appearing since you are trying to change resource record set of the CF distribution hosted zone (Z2FDTNDATAQYW2) which does not belong to your account.