Receiving 'not authorized to perform: route53:GetChange' even though SSL certificate was issued

ttblum · July 7, 2020, 6:29am

Hello,

I requested an SSL certificate using DNS authentication. When attempting to add the TXT record, I received ‘not authorized to perform: route53:GetChange’. However, I was still issued an SSL certificate anyway:

2020-07-06 15:49:43.298 -07:00 [INF] Performing automated challenge responses (xxx.xxxxx.com)
2020-07-06 15:49:43.306 -07:00 [INF] DNS: Creating TXT Record '_acme-challenge.xxxxx.xxxxxx.com' with value 'pYzh4UxIUYyrQ0K_e6du1EBRNIgeO1W-Vpfg7qj-IH8', in Zone Id 'ZYZYZYZYZX' using API provider 'Amazon Route 53 DNS API'
2020-07-06 15:49:44.394 -07:00 [ERR] DNS update failed: Amazon Route 53 DNS API :: Dns Record Create/Update: _acme-challenge.xxx.xxxxx.com - User: arn:aws:iam::979797977:user/UserName is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/H808089890PH
2020-07-06 15:49:44.395 -07:00 [INF] Requesting Validation: xxx.xxxxx.com
2020-07-06 15:50:44.794 -07:00 [INF] Attempting Challenge Response Validation for Domain: xxx.xxxxx.com
2020-07-06 15:50:44.794 -07:00 [INF] Registering and Validating xxx.xxxxx.com 
2020-07-06 15:50:44.794 -07:00 [INF] Checking automated challenge response for Domain: xxx.xxxxx.com
2020-07-06 15:50:44.922 -07:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2020-07-06 15:50:46.676 -07:00 [INF] Domain validation completed: xxx.xxxxx.com

The ‘UserName’ user does have permission in AWS to ‘route53:GetChange’ .

Testing with a browser on a client machine configured with a host file shows the certificate as valid.

Does this mean we have a permissions issue, or should we be ignoring this warning?

webprofusion · July 7, 2020, 9:53am

As per our discussion in the support ticket, the suggested policy for a restricted account is shown in the route53 provider docs:

ttblum · July 14, 2020, 7:04pm

The ‘GetChange’ permission is set by request ID, not hosted zone ID.

This was the solution:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "route53:GetHostedZone",
            "route53:ChangeResourceRecordSets",
            "route53:ListResourceRecordSets"
        ],
        "Resource": [
            "arn:aws:route53:::hostedzone/*ZONEID*"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "route53:GetChange",
            "route53:ListHostedZones",
            "route53:CreateHostedZone",
            "route53:ListHostedZonesByName"
        ],
        "Resource": "*"
    }
]

}