AWS Permissions for Cross-Account DNS Association

Summary: I've got permissions issues associating a private DNS Hosted Zone across accounts in the same AWS region

I have two AWS accounts, and in each I've created a VPC and servers etc. The first account (11112222) provides some services from a private subnet, with a private DNS Hosted Zone etc.

I'd like to provide DNS lookups of the services on my private subnet to my second account (22223333) which has a 'project' VPC and servers in it. I have created a Peering Connection from the project to the services VPC, and have accepted it on the services VPC side, setup routes, etc.

For DNS, I have created an Association Authorisation by running this command:

aws route53 create-vpc-association-authorization --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-012345678


I can verify that it's done something with the list-vpc-association-authorizations.

Over on the 'services' VPC, I'm struggling to 'accept' the association. I'm running:

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-abcdef01234


However, this says:

An error occurred (AccessDenied) when calling the AssociateVPCWithHostedZone operation: User: arn:aws:sts::22223333:assumed-role/devops/ralph is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Z333AEF1GGC


Obviously I did a load of googling and found https://forums.aws.amazon.com/thread.jspa?threadID=243780 which says I also need ec2:DescribeVPCs. Our account permissions are fairly simple, in so much as my assumed role has "Allow *" on it (and just a few Denies for some IAM operations). I've tried to explicitly add in the two permissions, with and without specifically naming the hosted zone ARN. Nothing seems to work though.

I feel like I must be missing something pretty obvious here – any ideas what it might be? Is there a better way to achieve what I'm trying to do?

Additional Information (due to comments)

• We use 2FA for all our user accounts, and then 'assume' a role to perform any actions on our accounts (assuming a role requires 2FA authentication). There are no technical requirements to use 2FA though. Our individual user accounts have almost no permissions to do anything directly.