 2 years ago
Using SSL in HatchBox with AWS Route 53

Jun 23, 2022

HatchBox continues to be my favorite tool for Rails deployment hands down. And this includes Dockarno – my own Bash based Docker deployment tool. When something you pay for replaces something you wrote yourself, that's a sign of its very, very strong goodness.

I just used HatchBox to support SSL wildcard deployment for something I'm building and the process was a tad bit tricky so I thought I'd write it up.

HatchBox has excellent built in SSL support using Let's Encrypt but when you use wildcard SSL, you get asked for the Route 53 Key and the Route 53 secret. Here's how you get those:

On AWS, in Route 53

In Route 53, make sure you have *.domain.extension defined to allow it to be wildcard.

On AWS, in IAM

In the IAM console, you need to:

  • Add a user
  • Add that user to a group
  • Add a JSON policy document

Here is the JSON policy that you need to add:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "*"
            "Effect": "Allow",
            "Action": "route53:ListHostedZones",
            "Resource": "*"
            "Effect": "Allow",
            "Action": "route53:ListResourceRecordSets",
            "Resource": "*"

After you've added that user then you will be prompted with the normal AWS access key / secret key. Save the credentials and then add them to HatchBox. HatchBox will then got thru an API session with AWS and validate the key.

My Experience and Chris's Brilliant Work

I started from documentation I found online (see below) that turned out to be incomplete. When I examined the HatchBox log for the transaction, I saw this:

This is where Chris did is normally brilliant work. By passing through the full response error (and building a user viewable log facility), I was able to see:

SenderAccessDeniedUser: arn:aws:iam::835336135388:user/hatchboxdns2 is not authorized to perform: route53:ListResourceRecordSets on resource: arn:aws:route53:::hostedzone/Z1OSXVLV0259TW because no identity-based policy allows the route53:ListResourceRecordSets action427a3f8b-97ff-40fc-8079-3b2799e51463

And that told me I needed to add route53:ListResourceRecordSets to my JSON policy.


See Also

This was helpful but not complete and I had to update the JSON policy document per above. The one in the article wasn't complete enough; it was missing the last two actions above.

