Trying to create an SSL certificate using Amazon Certificate Manager, as per here -
https://medium.com/swlh/aws-website-hosting-with-cloudformation-guide-36cac151d1af
I have a deployment user with the following policy -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*",
"s3:*",
"route53:*",
"acm:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
But when I deploy I get the following -
API: certificatemanager:changeResourceRecordSets User #{my_IAM_deploy_user} is not authorized to access this resource
How come I am getting this error despite acm:* access ?
(wondering if related to Why changeResourceRecordSets gets not authorized to access this resource? but can't see exactly how)
(Cloudformation template below)
---
AWSTemplateFormatVersion: '2010-09-09'
Description: cloudfront-route53-demo-cert
Parameters:
DomainName:
Type: String
HostedZoneId:
Type: String
Default: Z1BKCTXD74EZPE # eu-west-1; https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_website_region_endpoints
Outputs:
CertificateARN:
Value:
Ref: Certificate # returns ARN
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName:
Ref: DomainName
DomainValidationOptions:
- DomainName:
Ref: DomainName
HostedZoneId:
Ref: HostedZoneId
ValidationMethod: DNS
I misunderstood what HostedZoneId was. I thought it was some kind of route53 region- specific singleton but (doh) turns out it just the id of a route53 HostedZone I had created. Kinda obvious really.