Search code examples
amazon-web-servicesaws-cdkamazon-route53

Provide cross account delegation from Route53

I have an AWS account holding my Route53 Parent Zone (example.com) and am trying to create a subdomain (beta.example.com) and (prod.example.com). After reading the documents, I realized, that I would need to create a CrossAcountDelegationRole in each of my subdomain accounts. To do this, I added the following:

//CDK Package for Parent Domain:

this.crossDelegationRole= new Role(this, 'CrossAccountRole', {
    // The role name must be predictable
    roleName: 'MyDelegationRole',
    // The other account
    assumedBy: new CompositePrincipal(new AccountPrincipal('Account A#'), new AccountPrincipal('Account B#')),
});

//CDK Package for Subdomain accounts:
const delegationRoleArn = Stack.of(this).formatArn({
    region: '', // IAM is global in each partition
    service: 'iam',
    account: 'Parent Account #',
    resource: 'role',
    resourceName: 'MyDelegationRole',
});
const delegationRole = Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
    
    // create the record
const x =new CrossAccountZoneDelegationRecord(this, 'delegate', {
    delegatedZone: this.hostedZone,
    parentHostedZoneName: 'example.com', // or you can use parentHostedZoneId
    delegationRole,
});

After deploying this to my cloudformation, I get an error saying:

Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::ParentAccount#:assumed-role/MyDelegationRole/cross-account-zone-delegation-1675020358038 is not authorized to perform: route53:ListHostedZonesByName because no identity-based policy allows the route53:ListHostedZonesByName action at Request.extractError (/var/runtime/node_modules/aws-

Is there something I am missing on this?

Update 1: I think this is because although I am creating the role, I am not giving my role any permissions. I need to provide some permissions to the crossDelegationRole. I'm unsure how I can give it permissions to my hostedZone (which isn't a Public Hosted Zone and just a hostedZone so I can't do a parentZone.grantDelegation(crossAccountRole); command)

Solution

  • Cross-account zone delegation is not possible with private hosted zones. That's why only the PublicHostedZone construct has the grantDelegation method, which is what you're missing.