尽管该角色在策略中具有 route53Domains:*,但在 ChangeResourceRecordSets 上出现 403
403 on ChangeResourceRecordSets despite the role having route53Domains:* in the policy
错误
User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]
我的角色
{
"permissionsBoundary": {},
"roleName": "laravel-vapor-role",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:FilterLogEvents",
"logs:PutLogEvents",
"ssm:GetParameters",
"ssm:GetParameter",
"lambda:invokeFunction",
"s3:*",
"ses:*",
"sqs:*",
"dynamodb:*",
"route53domains:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
},
"name": "laravel-vapor-role-policy",
"type": "inline"
}
],
"trustedEntities": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
}
您的保单不包括route53:ChangeResourceRecordSets:
Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name
您只有 "route53domains:*" 权限,但 没有 route53:* 也没有 route53:ChangeResourceRecordSets.
ChangeResourceRecordSets 来自 route53,而不是来自 route53domains。
错误
User: arn:aws:sts::[redacted]:assumed-role/laravel-vapor-role/vapor-[redacted]-platform-staging-queue is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/[redacted]
我的角色
{
"permissionsBoundary": {},
"roleName": "laravel-vapor-role",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:FilterLogEvents",
"logs:PutLogEvents",
"ssm:GetParameters",
"ssm:GetParameter",
"lambda:invokeFunction",
"s3:*",
"ses:*",
"sqs:*",
"dynamodb:*",
"route53domains:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
},
"name": "laravel-vapor-role-policy",
"type": "inline"
}
],
"trustedEntities": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
}
您的保单不包括route53:ChangeResourceRecordSets:
Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name
您只有 "route53domains:*" 权限,但 没有 route53:* 也没有 route53:ChangeResourceRecordSets.
ChangeResourceRecordSets 来自 route53,而不是来自 route53domains。