[certificate-manager] The certificate provided must be owned by the account creating the domain

[mainframenzo]

I am running into this issue the first time a pipeline stage tries to deploy a stack in us-west-2 using both the 1.56 and 1.57 release: The certificate provided must be owned by the account creating the domain. I have tried using a newly created cert (shown below) and a manually created and validated cert (in us-east-1) with an ARN reference...both to no avail.

   const proxyLambda = new lambda.Function(this, 'LambdaAPIProxy', {
      code: lambda.Code.fromAsset(path.resolve(__dirname, '../../web_src/api')),
      handler: 'handler.index',
      runtime: lambda.Runtime.NODEJS_12_X
    });
    
    const api = new apigateway.LambdaRestApi(this, 'APIGateway', {
      description: 'API',
      handler: proxyLambda
    });

   //manually created hosted zone
   const hostedZone = route53.HostedZone.fromLookup(this, 'Zone', {
      domainName: 'domain.com'
    });

    const certificate = new certificateManager.DnsValidatedCertificate(this, 'DomainWildcardCertificate', {
      domainName: '*.domain.com',
      hostedZone: hostedZone,
      region: 'us-east-1'
    });

   //this is where the failure happens!
    const apiDomainName = api.addDomainName('CustomAPIDomainName', {
      domainName: 'api.domain.com',
      certificate: certificate,
      endpointType: apigateway.EndpointType.EDGE
    });

Does my issue have something to do with the API Gateway type, or that CloudFormation needs some sort of permission that the CDK isn't creating for me?

Originally posted by @mainframenzo in #9548 (comment)

[njlynch]

Thanks for the issue report, @mainframenzo .

I haven't been able to reproduce this behavior, either with the above as a stand-alone stack or as part of a CDK pipeline. The only thing I can think about might be a permissions issue somewhere; you may receive that error if the account doesn't have permissions to describe the certificate in the account. When you ran cdk bootstrap for the stage environment, did you use arn:aws:iam::aws:policy/AdministratorAccess as the CloudFormation execution policy, or something more restricted?

Is the account that owns the pipeline and the account for the first stage (where this fails) the same, or do you have multiple accounts throughout the pipeline? That shouldn't matter, but just trying to collect as much information as possible.

[mainframenzo]

@njlynch Ah ha! Derp. The issue was that I bootstrapped in only us-west-2. Because the cert needs to be created in us-east-1, I also needed to bootstrap there as well. Note if someone should have the same issue: I had to remove the CDK stack in us-west-2 before bootstrapping in both regions, otherwise I received the same error.

Maybe-not-useful-but-maybe-useful feature ask: if the cdk toolkit is aware of where its been bootstrapped, throw some sort of warning flag when referencing another region with no permissions? Cloudformation errors are so whack sometimes that debugging them feels like an Indiana Jones plot.

Thanks!

[birtles]

I encountered this error in an app which previously only deployed to us-west-2 after I added a stack targetting us-east-1. I naively assumed I could use the same certificate for both.

The docs correctly indicate that certificates for regional API gateways need to be issued in the same region, but this error seemed to suggest the was a problem with the account not the region, and hence I spent a good few hours deleting stacks and redeploying everything before I realized the error message was wrong.