How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.

To associate a Route 53 private hosted zone in one AWS account (Account A) with a VPC that belongs to another AWS account (Account B) or Region, follow these steps using the AWS CLI.

Note: You can also use the AWS SDK or Route 53 API for this procedure.

1.    Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in Account A.

2.    Run the following command to update the AWS CLI version. Be sure that the AWS CLI is configured to use the credentials of an AWS Identity and Access Management (IAM) user that has Route 53 access.

pip3 install awscli --upgrade --user

3.    Run the following command to list the available hosted zones in Account A. Note the hosted zone ID in Account A that you'll associate with Account B.

aws route53 list-hosted-zones

4.    Run the following command to authorize the association between the private hosted zone in Account A and the VPC in Account B. Use the hosted zone ID from the previous step. Use the Region and ID of the VPC in Account B.

Note: Include "--region" if you're inside any EC2 instance of a different Region or using user's credentials with different Region other than "us-east-1"

aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

5.    Connect to an Amazon EC2 instance in Account B.

6.    Run the following command to create the association between the private hosted zone in Account A and the VPC in Account B. Use the hosted zone ID from step 3. Use the Region and ID of the VPC in Account B.

Note: Be sure to use an IAM user or role that has AssociateVPCWithHostedZone and DescribeVpcs API permissions to run the following CLI command in Account B.

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

7.    It's a best practice to delete the association authorization after the association is created. This step prevents you from recreating the same association later. To delete the authorization, reconnect to an Amazon EC2 instance in Account A. Then, run the following command:

aws route53 delete-vpc-association-authorization --hosted-zone-id <hosted-zone-id>  --vpc VPCRegion=<region>,VPCId=<vpc-id> --region us-east-1

Amazon EC2 instances in the VPC from Account B can now resolve records in the private hosted zone in Account A.

Related information

Working with private hosted zones