By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CDK make Route53 records in another account

0

I am working with 2 AWS accounts, one is the root account which contains the primary Route53 hosted zone domain.com. The other account is the production account, and it runs our production environment, which is deployed using CDK. It contains a delegated hosted zone with the domain prod.domain.com. There is also an amplify application running on the production account available at app.prod.domain.com.

The goal is to make the production application available via app.domain.com as it is more user-friendly. However, I have been unable to find a method that will allow me to create records in the root account hosted zone from the production account. Is there any method to do this automatically?

I am aware that I can manually enter the records in the root account, but I would rather have an automated solution, as this would reduce the chance of errors and make the entire infrastructure clear to other maintainers.

I have already tried to make a delegated hosted zone with the domain name domain.com in the production account, but that does not work.

Topics
Management & GovernanceNetworking & Content Delivery
Tags
AWS CloudFormationAmazon Route 53
Language
English
Bob
asked 2 years ago2480 views
1 Answer
0

What type of principal was used to create the zone(s)? Depending on whether you used the root account credentials or an IAM user/role, the behavior/ownership is slightly different. Have you created the appropriate roles in each account to be used for resource creation? The documentation on resource permissions and using IAM roles is a good place to start.

Route53 only supports identity-based IAM policies, so you'll need to create the appropriate permissions policy and attach it to the principal(s) you're using. There's an example there specifically for delegating CreateHostedZone that is likely a good start.

profile pictureAWS
that_mike
answered 2 years ago
  • Bob
    2 years ago

    I found a solution. The delegated zone creation was already working, so I just created a dedicated hosted zone for the app.domain.com. This has the added benefit of allowing amplify to create certificates. Hosted zones aren't free, but given that this is only a single subdomain, the costs are insignificant.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content