CloudFormation route53:GetHostedZone User is not authorized to access this resource

Question

I have an AWS CodeBuild project connected to a Github repo, and on every new commit it creates a new CloudFormation stack based on a predefined template. The full template can be found here.

The CodeBuild project has this as its build commands:

version: 0.2

phases:
  install:
    runtime-versions:
       nodejs: 12
  pre_build:
    commands:
       - NODE_ENV=development npm install
       - npm run makeScriptsExecutable
  build:
    commands:
       - stackName="stack-$CODEBUILD_RESOLVED_SOURCE_VERSION"
       - apiGatewayName="gateway-$CODEBUILD_RESOLVED_SOURCE_VERSION"
       - FUNCTION_NAME="lambda-$CODEBUILD_RESOLVED_SOURCE_VERSION"
       - S3_ASSETS_BUCKET="s3-$CODEBUILD_RESOLVED_SOURCE_VERSION"
       - S3_ASSETS_BUCKET_URI="s3://$S3_ASSETS_BUCKET"
       - DOMAIN_NAME="$CODEBUILD_RESOLVED_SOURCE_VERSION.guacchain.com"
       - BASE_NAME="prod"
       - echo "S3_ASSETS_BUCKET_URI value here:"
       - echo $S3_ASSETS_BUCKET_URI
       - TEMPLATE_URL=https://s3-external-1.amazonaws.com/cf-templates-1npj2t2ifo384-us-east-1/2020146JeV-stack2.yaml
       - aws cloudformation create-stack --stack-name $stackName --template-url $TEMPLATE_URL --parameters ParameterKey=apiGatewayStageName,ParameterValue=$BASE_NAME ParameterKey=lambdaFunctionName,ParameterValue=$FUNCTION_NAME ParameterKey=s3BucketName,ParameterValue=$S3_ASSETS_BUCKET ParameterKey=domainName,ParameterValue=$DOMAIN_NAME ParameterKey=subdomain,ParameterValue=$CODEBUILD_RESOLVED_SOURCE_VERSION --capabilities CAPABILITY_IAM
       - sleep 45
       - sed -i "s/COMMIT_ID/$CODEBUILD_RESOLVED_SOURCE_VERSION/g" .babelrc
       - NODE_ENV=production npm run start
       - NODE_ENV=production npm run build
       - NODE_ENV=production npm run build:server
       - NODE_ENV=production npm run deploy

The current problem I'm running into is that ever since adding a resource of type AWS::Route53::RecordSet, the stack creation fails due to: API: route53:GetHostedZone User: arn:aws:sts::XXXX:assumed-role/CodeBuildServiceRole/AWSCodeBuild-XXXX is not authorized to access this resource.

That resource currently looks like this:

  domainRecordSet:
    Type: 'AWS::Route53::RecordSet'
    Properties:
      AliasTarget:
        DNSName: !GetAtt domainNameResource.DistributionDomainName
        HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
      Type: A
      HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
      Name: !Sub '${subdomain}.guacchain.com'

The subdomain variable is given to the stack as a parameter. The referenced domainNameResource does successfully get created before the stack creation fails:

Also, the CodeBuildServiceRole is applied to the CodeBuild project. I thought that giving it the AdministratorAccess, AmazonRoute53FullAccess, and AWSCloudFormationFullAccess policies would be enough, but apparently not!

On the IAM Permissions tab it shows Permissions boundary (not set).

On Trusted Relationships tab is has only one row in the "Trusted entities" list: The identity provider(s) codebuild.amazonaws.com. Also shows "There are no conditions associated with this role."

What must be done to this IAM role, the Codebuild project, or the CloudFormation stack (or some combination of those) in order to get the Route53 RecordSet resource successfully created?

Answer 1

Based on the comments, the issue was the incorrect assignment to the second HostedZoneId:

 HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId

It should be the id of hosted zone that the OP controls, not the hosted zone of CloudFront distribution which is owned by AWS. This explains the error message - you are not authorized to modify AWS owned hosted zone.