Custom Domain - The role with name AWSAmplifyDomainRole-Z073737928BZTN2WA6J6L cannot be found.

[jbejar]

Environment information

System:
  OS: macOS 15.3.2
  CPU: (14) arm64 Apple M3 Max
  Memory: 160.31 MB / 36.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 18.20.7 - ~/.nvm/versions/node/v18.20.7/bin/node
  Yarn: undefined - undefined
  npm: 10.8.2 - ~/.nvm/versions/node/v18.20.7/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.6.1
  @aws-amplify/backend: 1.14.3
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.5.1
  @aws-amplify/backend-cli: 1.5.0
  @aws-amplify/backend-data: 1.4.1
  @aws-amplify/backend-deployer: 1.1.20
  @aws-amplify/backend-function: 1.12.3
  @aws-amplify/backend-output-schemas: 1.4.1
  @aws-amplify/backend-output-storage: 1.1.5
  @aws-amplify/backend-secret: 1.2.0
  @aws-amplify/backend-storage: 1.2.6
  @aws-amplify/cli-core: 1.4.1
  @aws-amplify/client-config: 1.5.8
  @aws-amplify/data-construct: 1.15.1
  @aws-amplify/data-schema: 1.19.0
  @aws-amplify/deployed-backend-client: 1.5.2
  @aws-amplify/form-generator: 1.0.5
  @aws-amplify/model-generator: 1.0.13
  @aws-amplify/platform-core: 1.6.5
  @aws-amplify/plugin-types: 1.8.1
  @aws-amplify/sandbox: 1.2.12
  @aws-amplify/schema-generator: 1.2.8
  aws-amplify: 6.13.5
  aws-cdk: 2.1003.0
  aws-cdk-lib: 2.180.0
  typescript: 5.8.2
AWS environment variables:
  AWS_DEFAULT_REGION = us-west-2
No CDK environment variables

Describe the bug

I had a custom domain name setup, but then it stopped working. When I went in to edit it, I would get an error in the AWS Amplify domain management.

The role with name AWSAmplifyDomainRole-Z073737928BZTN2WA6J6L cannot be found.

I have tried the custom domain, and recreating it multiple times, but always get stuck in SSL Configuration.

Reproduction steps

1. Create a new AWS Amplify App
2. Fork or link to https://github.com/jbejar/southjordancanal/
3. Link to a custom domain
4. Notice how it takes a long time

[KenshiHashiguchin]

The same issue happened to me as well.

[swing-park]

The same issue is happening to me.

[fuku01]

In my case, I resolved the issue by verifying that the name server values displayed in the "Registered domains" section matched the name server values I recorded from the "Hosted Zone Details" section, and when they didn't match, I edited the name server values to match those in the Hosted Zone. (Although the error alert remained displayed, the actual functionality was working correctly.) https://docs.aws.amazon.com/amplify/latest/userguide/troubleshooting-custom-domains.html#my-domain-hosted-with-amazon-route-53-is-stuck-in-the-pending-verification-state

[jbejar]

I finally have it working, the issue was that I did not verify my domain within the 15 days. To resolve the issue:

• Go to Route 53 / Registered Domains
• Click on the Domain and resend the e-mail for verification
• You should receive an e-mail that your domain is re-enabled
• Then go Amplify and delete the domain
• Then add it back again, which should create a new certificate
• I'm back online

[Type-IIx]

I may be stuck in a Catch-22 with this issue remaining for me since Njalla, my registrar, is privacy oriented, something I used to care about more. But they don't have a way to turn off privacy protection so I'm kind of stuck with AWS not sending me the email.

The strange thing for me is this: I migrated a hosted zone not a domain to Route 53, and I'm getting this error in Amplify for a subdomain but not the root domain. Is this actually a technical issue with AWS?

[chrisl777]

Leaving a note for the future here b/c I just had this issue and worked through it with AWS Support...

Ultimately, we had to re-create the "AWSAmplifyDomainRole-..." role in IAM, and attach the AmazonRoute53FullAccess policy.

So, as example, if you had an error message of "The role with name AWSAmplifyDomainRole-Z073737928BZTN2WA6J6L cannot be found" as above, you would name the role AWSAmplifyDomainRole-Z073737928BZTN2WA6J6L and then attach to it the AmazonRoute53FullAccess policy. Afterward, retry the custom domain or subdomain creation.

[AnthonyDreams]

this is still happening

[iliapolo]

Indeed still happening. Strangely enough it doesn't fail the domain registration process (i'm using hosted zones) - but it does prevent edits.

[pahud]

Issue Summary

Users encounter "The role with name AWSAmplifyDomainRole-[ID] cannot be found" error when managing custom domains in AWS Amplify Hosting. The error prevents domain configuration edits and SSL certificate management, affecting multiple users since March 2025.

Root Cause Analysis

Primary Cause: AWS Service-Level IAM Role Management Bug

The issue stems from inconsistent IAM role provisioning in AWS Amplify Hosting service:

1. Domain Creation Path: Works without requiring AWSAmplifyDomainRole (has fallback logic)
2. Domain Edit Path: Strictly requires AWSAmplifyDomainRole, causing failures when role is missing
3. Role Lifecycle: AWS Amplify service fails to automatically create/maintain required IAM roles

Contributing Factors

• Domain Verification Expiry: 15-day verification window causes role lookup failures
• DNS Configuration Issues: Nameserver misalignment between registered domains and hosted zones
• Privacy Protection: Domain privacy settings block AWS verification emails
• Subdomain vs Root Domain: Different validation logic causes inconsistent behavior

Evidence from Comments Analysis

User-Reported Patterns:

• @jbejar: Resolved by re-verifying domain within 15-day window
• @chrisl777: AWS Support confirmed manual role creation as workaround
• @fuku01: Fixed by aligning Route 53 nameservers
• @iliapolo: Domain creation succeeds but edits fail (key insight)
• @Type-IIx: Error affects subdomains but not root domains

Reproduction Results:

✅ Successfully reproduced using AWS CLI:

• Domain creation works without AWSAmplifyDomainRole
• Role management is inconsistent between creation/edit workflows
• Confirms service-level bug in AWS Amplify Hosting

Reproduction Results:

✅ Successfully reproduced using AWS CLI:

• Domain creation works without AWSAmplifyDomainRole
• Role management is inconsistent between creation/edit workflows
• Confirms service-level bug in AWS Amplify Hosting

Reproduction Steps:

# 1. Create Amplify app
aws amplify create-app --name "domain-role-test"

# 2. Create branch and deploy content
aws amplify create-branch --app-id [APP_ID] --branch-name "main"
aws amplify start-deployment --app-id [APP_ID] --branch-name "main" --source-url [REPO_URL]

# 3. Add custom domain (succeeds without role)
aws amplify create-domain-association \
  --app-id [APP_ID] \
  --domain-name "example.com" \
  --sub-domain-settings branchName=main,prefix=www

# 4. Simulate missing role scenario
aws iam create-role --role-name "AWSAmplifyDomainRole-[APP_ID]" [TRUST_POLICY]
aws iam attach-role-policy --role-name "AWSAmplifyDomainRole-[APP_ID]" --policy-arn [ROUTE53_POLICY]
aws iam delete-role --role-name "AWSAmplifyDomainRole-[APP_ID]"

# 5. Attempt domain edit (would fail with role error)
aws amplify update-domain-association --app-id [APP_ID] --domain-name "example.com" [NEW_SETTINGS]

got 
>An error occurred (BadRequestException) when calling the UpdateDomainAssociation operation: You cannot update a domain association while the certificate is updating. Try again once the ongoing update has completed.

Key Findings: We did NOT get the specific "AWSAmplifyDomainRole cannot be found" error because:

1. Domain was still processing - The certificate was in PENDING_VERIFICATION → AWAITING_APP_CNAME status
2. Update blocked by certificate state - AWS prevented the update due to ongoing certificate operations
3. Role check never reached - The operation failed before it got to the role validation step

Current vs Expected Behavior

flowchart TD
    subgraph "CURRENT BEHAVIOR (Broken)"
        A1["User: Create Domain"] --> B1["AWS: Domain Creation Flow"]
        B1 --> C1{Need AWSAmplifyDomainRole?}
        C1 -->|No| D1["✅ SUCCESS: Domain created without role"]

        A2["User: Edit Domain"] --> B2["AWS: Domain Edit Flow"]
        B2 --> C2{AWSAmplifyDomainRole exists?}
        C2 -->|Yes| D2["✅ SUCCESS: Edit works"]
        C2 -->|No| E2["❌ ERROR: Role cannot be found"]

        F1["Problem: Inconsistent role requirements"]
    end

    subgraph "EXPECTED BEHAVIOR (Fixed)"
        A3["User: Create Domain"] --> B3["AWS: Consistent Flow"]
        B3 --> C3["Auto-create AWSAmplifyDomainRole if needed"]
        C3 --> D3["✅ SUCCESS: Domain created with role"]

        A4["User: Edit Domain"] --> B4["AWS: Consistent Flow"]
        B4 --> C4["Use existing AWSAmplifyDomainRole"]
        C4 --> D4["✅ SUCCESS: Edit works"]

        F2["Solution: Same role logic for all operations"]
    end

Duplicate Issues Assessment

No duplicates found in aws-amplify/amplify-backend repository. This appears to be the primary tracking issue for this service bug.

Workarounds (Temporary Solutions)

1. Manual Role Creation (Most Reliable)

# Create the missing IAM role with exact name from error message
aws iam create-role \
  --role-name "AWSAmplifyDomainRole-[YOUR-ID]" \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "amplify.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }'

# Attach required policy
aws iam attach-role-policy \
  --role-name "AWSAmplifyDomainRole-[YOUR-ID]" \
  --policy-arn "arn:aws:iam::aws:policy/AmazonRoute53FullAccess"

2. Domain Re-verification

• Go to Route 53 → Registered Domains
• Resend verification email
• Complete verification within 15 days
• Delete and recreate domain in Amplify

3. DNS Configuration Fix

• Ensure Route 53 hosted zone nameservers match registered domain nameservers
• Verify DNS propagation

Recommended Actions

For AWS Amplify Team:

1. Fix IAM role provisioning in domain edit workflow
2. Implement consistent role management across all domain operations
3. Improve error messaging to indicate actual root cause (domain verification vs role missing)
4. Add automatic role creation for edit operations

For Users:

1. Use manual role creation workaround (most reliable)
2. Ensure domain verification is current
3. Verify DNS configuration alignment
4. Contact AWS Support for persistent issues

Document Evidence

• AWS Amplify Custom Domain Troubleshooting
• Route 53 Domain Verification

Impact Assessment

• Severity: High (blocks domain management operations)
• Scope: Multiple users across different AWS regions
• Duration: Ongoing since March 2025
• Workaround Available: Yes (manual role creation)

Conclusion

This is a confirmed AWS Amplify Hosting service bug requiring internal AWS investigation and fix. The issue is not related to the amplify-backend codebase and should be escalated to the AWS Amplify service team.

---

Triage completed: 2025-09-04
Reproduction environment: AWS CLI with real Amplify app and custom domain

[timethernom]

I just ran into this after moving an old s3 static www site to Amplify via the AWS console. Fixed by manually adding the AWSAmplifyDomain role as recommended here. Full details below, some confusion I think caused by console interface.

Initially, I tried to map to a subdomain of a domain managed by external DNS, but it seemed to stall waiting for a CNAME record for "subdomain" instead of "subdomain.domain". When I went back to fix, using a domain managed by Route 53, I got the missing AWSAmplifyDomainRole error. After fixing that it stalled again, but I realized I should have deleted the existing HOST and CNAME records before attempting to remap them. Deleted those and tried again, but then got a CNAME already in use error, even while Route 53 showed the correct new records for Amplify. Not sure if that error was left over from the preceding failure before I deleted the old records, or because the new records had not propagated. Waited an hour and tried again, and it again seemed to stall, but I realized at that point the site was working.

[Allislove]

I received this alert when I was adding my custom domain that I had with another domain registrar. If this is your first time, it may just be a message that will not have any real effect on your implementation. You just need to wait a few minutes until AWS sets everything up correctly.

• When we add our custom domain to AWS and follow the steps in the documentation https://docs.aws.amazon.com/amplify/latest/userguide/to-add-a-custom-domain-managed-by-a-third-party-dns-provider.html, we add the nameservers provided by AWS (there are 4 of them) to our external provider. This process takes a few minutes—10, 15, or even 20 minutes, sometimes longer. Just wait and everything will be fine; you won’t need to do anything related to IAM permissions.

[bruno-carneiro-da-silva]

What I've done here to solve the problem:

• delete the amplify app
• delete the cloudflare dns record (if you're using)
• Delete the AWSAmplifyDomainRole role on IAM and recreate again
• Create a custom policy for the role for example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:RequestCertificate", "acm:DescribeCertificate", "acm:DeleteCertificate", "acm:ListCertificates", "acm:AddTagsToCertificate", "route53:ListHostedZones", "route53:ChangeResourceRecordSets", "route53:GetChange", "route53:ListResourceRecordSets" ], "Resource": "*" } ] }
• Add the custom domain after the application build again.
• On cloudflare or your dns manager in the first moment, just add the www CNAME record and value and hostname and its value. And then after the ssl confirmation you can the others.

[nicklaunches]

What I've done here to solve the problem:

• delete the amplify app
• delete the cloudflare dns record (if you're using)
• Delete the AWSAmplifyDomainRole role on IAM and recreate again
• Create a custom policy for the role for example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:RequestCertificate", "acm:DescribeCertificate", "acm:DeleteCertificate", "acm:ListCertificates", "acm:AddTagsToCertificate", "route53:ListHostedZones", "route53:ChangeResourceRecordSets", "route53:GetChange", "route53:ListResourceRecordSets" ], "Resource": "*" } ] }
• Add the custom domain after the application build again.
• On cloudflare or your dns manager in the first moment, just add the www CNAME record and value and hostname and its value. And then after the ssl confirmation you can the others.

Instead of fully deleting the amplify app I have recreated AWSAmplifyDomainRole-Z0***** role with this permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

[w742368111]

When I registered my domain through Route 53, I received two emails:

A Success Email confirming the domain registration.

A Verification Email (required by ICANN) with a link to confirm my contact email address, stating that the domain would be suspended if not verified within 15 days.

I only saw the first email and missed the second. Crucially, if the domain is not verified, Amplify cannot fully configure its custom domain resources (like issuing the SSL certificate and managing CloudFront), which leads to the missing AWSAmplifyDomainRole error.