(aws-certificatemanager): Cannot pass role to ACM DnsValidatedCertificate

[ethanbradley]

❓ General Issue

The Question

Why is the CertificateRequestorFunction failing due to "Cross-account pass role is not allowed"?

I'm getting a role by ARN (from another account with the hosted zone) and passing it to ACM DnsValidatedCertificate as the customResourceRole. The CertificateRequestorFunction fails due to "Cross-account pass role is not allowed".

The role's trust policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Here's a snippet of the stack code:

// Update Hosted Zone Role
const hostedZoneRoleArn = 'arn:aws:iam::123456789012:role/UpdateHostedZoneRole';
const hostedZoneRole = iam.Role.fromRoleArn(this, 'UpdateHostedZoneRole', hostedZoneRoleArn, {
  mutable: true,
});

// ACM Certificate
const certificate = new acm.DnsValidatedCertificate(this, 'Certificate', {
  domainName: 'domainname.com',
  hostedZone: hostedZone,
  region: 'us-east-1',
  customResourceRole: hostedZoneRole
});

Why is the CertificateRequestorFunction failing due to "Cross-account pass role is not allowed"?

Environment

• CDK CLI Version: 1.85.0
• Module Version: 1.85.0
• Node.js Version: 12.18.3 & 14.15.1
• OS: Windows 10 20H2 & Ubuntu 18.04.5
• Language (Version): TypeScript 3.9.7

Other information

Stack trace:
0/15 | 1:58:59 AM | CREATE_FAILED | AWS::Lambda::Function | ***Certificate/CertificateRequestorFunction (***CertificateCertificateRequestorFunctionAA2C865E) Cross-account pass role is not allowed. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: ***; Proxy: null)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[lober-io]

The problem is that you define there the lambda execution role and this can't be a cross account role (https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/).

I have the same need (creating the DNS record in a different account). Has anybody a solution?

[ethanbradley]

I haven't seen any solutions for this, and I have searched and searched. It seems to me like this would be a common pattern - configuring DNS in one hosted zone and then adding/removing records from another account.

Is there a way we could pass in a crossAccountResourceRole and then apply the appropriate policy statements to allow the function to assume the role?

[lober-io]

It is a common pattern - but to do so the lambda needs to support this and this is currently not the case. Imho it shouldn’t be a big effort to implement it. I will take a Look if I can create a pr for this.

[njlynch]

@lober-io is correct in the cause of the error.

I believe (read: not tested) that one workaround in this scenario is to create a Role in the account where the certificate will be created, and grant it access to modify the hosted zone in the other account. Essentially, flip the above around so the role is in the certificate stack, rather than the zone stack.

I consider this a duplicate of #8934, which is the general feature request to make the DnsValidatedCertificate support multiple accounts and hosted zones. I'm going to close this out as a dupe; feel free to 👍 and discuss there. @lober-io , if you want to take a stab at the implementation, feel free to hit up me for early-stages feedback.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.