(aws-cdk-lib/aws-certificatemanager): Support cross-account CertificateValidation

[cayman-amzn]

Describe the feature

After CDK moved from the custom-lambda function to the R53 Cfn L1 constructs for RecordChangeSets, we've lost the ability to support cross-account Hosted Zones.

Ideally, I should be able to attach a policy to my HostedZone which grants permissions to the other account

Use Case

Example construct:

import {
  Certificate,
  CertificateValidation,
} from "aws-cdk-lib/aws-certificatemanager";

...

// Created in Account B
new Certificate(
  this,
  "bar.foo.com",
  {
    domainName: "bar.foo.com",
    validation: CertificateValidation.fromDnsMultiZone({
      "bar.foo.com": this.hostedZoneId,
      "foo.com": "Z111444", // Zone ID from Account A
    }),
    subjectAlternativeNames: [ "foo.com" ],
  }
);
...

Error from Cloudformation:

API: certificatemanager:changeResourceRecordSets User: arn:aws:sts::999999999999:assumed-role/MyCoolExecutionRole/AWSCloudFormation is not authorized to access this resource

Proposed Solution

in absence of the HostedZone resource policy, I propose we support an optional, custom IAM Role input on the CertificateValidation.fromDNS* methods. If provided, the construct would create a CustomResoruce using that provided IAM Role.

For my particular use case, this means the Custom Resource in account B would assume the Delegation Role I've created in Account A.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.95.0

Environment details (OS name and version, etc.)

Amazon Linux release 2 (Karoo) / 5.4.254

[peterwoodworth]

Is a custom resource actually required to do this cross-region? Have you tried granting this cloudformation execution role access to deploy into other environments?

[cayman-amzn]

The Cfn execution role currently has this policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

[peterwoodworth]

Yeah i see the blocker here. The request makes sense, thanks for the issue 🙂

[themnd]

me too have the same problem, error is very similar:

certificatemanager:changeResourceRecordSets User: arn:aws:sts::xxxxxx:assumed-role/cfn-exec-role/AWSCloudFormation is not authorized to access this resource

[guysqr]

I also encountered this today. Target account has been bootstrapped with

cdk bootstrap aws://123456789012/us-east-1 --trust 234567891011 --trust-for-lookup 234567891011 --cloudformation-execution-policies "arn:aws:iam::aws:policy/IAMFullAccess,arn:aws:iam::aws:policy/PowerUserAccess,arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess,arn:aws:iam::aws:policy/AmazonRoute53FullAccess"

Error:

8:20:18 AM | UPDATE_FAILED        | AWS::CertificateManager::Certificate            | WebCertificate760B17F3
API: certificatemanager:changeResourceRecordSets User: arn:aws:sts::123456789012:assumed-role/cdk-hnb659fds-cfn-exec-role-234567891011-us-east-1/AWSCloudFormation is not authorized to access this resource

This is a sIgnificant problem if it blocks all cross-account deployments that need to create ACM certs that rely on Route53 records to be created, which I expect is not an unusual thing to want to do...

[marcelinhov2]

how did you guys bypassed it?

[mobob]

how did you guys bypassed it?

I'm just doing manual/email verification, and not domain verification; not a solution at all really as this is very cumbersome, but for my use case its not terrible to wait for the verification emails when new certs are needed.

[marcelinhov2]

I'm doing domain verification with a lambda custom resource using the secrets from the root account. it worked for what I needed, but I hated it. I wanted to assumeRole instead.