- Newest
- Most votes
- Most comments
Creating acm certificates on the fly using CDK in govcloud is not advisable because the dns validation needs a public hosted zone entry, which govcloud does not have. In addition, the certs quota can hit the environment at the least expected moment. The most straight forward way to do this is:
To create a cert manually in the govcloud account, using dns validation and the linked aws account's public hosted zone/domain. The the cert's arn can be used in CDK without problems.
Hi, did you check that you gov cloud region supports ACM service endpoint ? For the list, see https://docs.aws.amazon.com/general/latest/gr/acm.html
the endpoints are there for both govcloud regions. thanks!
If getting stuck at ACM level is mostly related to its validation. Are you using email or dns to perform validation?
The cert is created by CDK using the hosted zone data. It works in the standard aws cloud. Logic dictates that validations should occur via dns. I can see the validation record in the gov route53. It strikes me a as a DNS problem that I introduced. There are two places that might be the problem (nothing like being away from the keyboard for ideas to pop up) thanks!
Relevant content
- Accepted Answerasked 2 years ago
- asked 3 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
there are two things that remain foggy to me. How is the roundtripping of the route53 validation in govcloud? These are private hosted zones. Does the validation leave the partition's route53? Does it use the linked standard account to reach out the TLD and then come back to the private hosted zone using the public hosted zone (I have the gov cloud name servers there and nothing else) ?
Can VPCs in govcloud share private hosted zones? or does each vpc require its own hosted zone?