AWS CDK make Route53 records in another account
I am working with 2 AWS accounts, one is the root account which contains the primary Route53 hosted zone domain.com. The other account is the production account, and it runs our production environment, which is deployed using CDK. It contains a delegated hosted zone with the domain prod.domain.com. There is also an amplify application running on the production account available at app.prod.domain.com.
The goal is to make the production application available via app.domain.com as it is more user-friendly. However, I have been unable to find a method that will allow me to create records in the root account hosted zone from the production account. Is there any method to do this automatically?
I am aware that I can manually enter the records in the root account, but I would rather have an automated solution, as this would reduce the chance of errors and make the entire infrastructure clear to other maintainers.
I have already tried to make a delegated hosted zone with the domain name domain.com in the production account, but that does not work.
What type of principal was used to create the zone(s)? Depending on whether you used the root account credentials or an IAM user/role, the behavior/ownership is slightly different. Have you created the appropriate roles in each account to be used for resource creation? The documentation on resource permissions and using IAM roles is a good place to start.
Route53 only supports identity-based IAM policies, so you'll need to create the appropriate permissions policy and attach it to the principal(s) you're using. There's an example there specifically for delegating CreateHostedZone that is likely a good start.
Relevant questions
Route53 zone hosted on two accounts
Accepted Answerasked 4 years agoDoes moving domain hosted in Route 53 from one account to another also move dependent resources?
Accepted Answerasked 4 years agoTXT Records not resolved
asked 3 years agoHow do you make 2FA work on both an AWS account and an Amazon consumer account?
asked 3 months agoHow can I use the same domain name in different AWS accounts?
asked 3 years agoMigrating AWS ses email identities from one aws account to another aws account
asked a month agoSubdomain on separate account in cpanel what about Route 53 zones
asked 2 years agoUnable to use domain after transfering to another aws account
asked 4 months agoAWS CDK make Route53 records in another account
asked 2 months agoShield advanced for Route53 delegated subdomains
Accepted Answerasked 4 years ago
I found a solution. The delegated zone creation was already working, so I just created a dedicated hosted zone for the
app.domain.com. This has the added benefit of allowing amplify to create certificates. Hosted zones aren't free, but given that this is only a single subdomain, the costs are insignificant.