Receiving 'not authorized to perform: route53:GetChange' even though SSL certificate was issued


I requested an SSL certificate using DNS authentication. When attempting to add the TXT record, I received ‘not authorized to perform: route53:GetChange’. However, I was still issued an SSL certificate anyway:

2020-07-06 15:49:43.298 -07:00 [INF] Performing automated challenge responses (
2020-07-06 15:49:43.306 -07:00 [INF] DNS: Creating TXT Record '' with value 'pYzh4UxIUYyrQ0K_e6du1EBRNIgeO1W-Vpfg7qj-IH8', in Zone Id 'ZYZYZYZYZX' using API provider 'Amazon Route 53 DNS API'
2020-07-06 15:49:44.394 -07:00 [ERR] DNS update failed: Amazon Route 53 DNS API :: Dns Record Create/Update: - User: arn:aws:iam::979797977:user/UserName is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/H808089890PH
2020-07-06 15:49:44.395 -07:00 [INF] Requesting Validation:
2020-07-06 15:50:44.794 -07:00 [INF] Attempting Challenge Response Validation for Domain:
2020-07-06 15:50:44.794 -07:00 [INF] Registering and Validating 
2020-07-06 15:50:44.794 -07:00 [INF] Checking automated challenge response for Domain:
2020-07-06 15:50:44.922 -07:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2020-07-06 15:50:46.676 -07:00 [INF] Domain validation completed:

The ‘UserName’ user does have permission in AWS to ‘route53:GetChange’ .

Testing with a browser on a client machine configured with a host file shows the certificate as valid.

Does this mean we have a permissions issue, or should we be ignoring this warning?

As per our discussion in the support ticket, the suggested policy for a restricted account is shown in the route53 provider docs:

The ‘GetChange’ permission is set by request ID, not hosted zone ID.

This was the solution:

"Version": "2012-10-17",
"Statement": [
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
        "Resource": [
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
        "Resource": "*"