- Newest
- Most votes
- Most comments
The issue you're experiencing with not being able to view and access the shared private hosted zone in Account A, despite seeing the Route 53 shared profile, is likely due to insufficient permissions in Account A. Even when a resource is shared via AWS Resource Access Manager (RAM), the roles and users in the recipient account don't automatically get access to the shared resources.
To resolve this issue, you need to take the following steps:
-
In Account A, the administrator needs to grant specific permissions to the IAM roles and users who need to access the shared private hosted zone.
-
Create an IAM policy in Account A that grants the necessary permissions to view and interact with the shared hosted zone. The policy should include actions like "route53:Get*" and "route53:List*" for the specific resource (the shared hosted zone).
-
Attach this policy to the relevant IAM roles or users in Account A who need to work with the shared hosted zone.
-
Ensure that the VPC in Account A is properly associated with the shared private hosted zone. This association should be done from the account that owns the hosted zone (in this case, the root account).
-
Verify that you are looking in the correct AWS region in the Route 53 console of Account A. AWS RAM is a regional service, so make sure you're in the same region where the hosted zone was shared.
-
If you're still unable to see the hosted zone, try using AWS CLI commands from Account A to list the hosted zones. This can help determine if it's a console visibility issue or an actual access problem.
-
Double-check that the resource share in AWS RAM includes Account A as a principal and that the correct resource (the private hosted zone) is included in the share.
If after following these steps you're still unable to see or access the shared private hosted zone, you may need to contact AWS support for further assistance, as there could be an underlying issue with the sharing process or account configurations.
Remember, sharing Route 53 private hosted zones across accounts can be complex, and it's crucial to ensure all the necessary permissions and associations are correctly set up in both the sharing and receiving accounts.
Sources
Can't see shared resources in the destination account - AWS Resource Access Manager
Route 53 private zone not working with lightsail | AWS re:Post
Troubleshooting issues with AWS RAM - AWS Resource Access Manager
Sharing zones across accounts using RAM doesn’t mean they will NOT appear in the route53 console.
You can associate the zone with a VPC in another account for name resolution but you will not be able to view the zone.
This behaviour is expected
Hi, please have a look at https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/. As it says there:
Note also that associations of PHZs to VPCs in other accounts aren't visible in those other accounts. 20-Jun-20 Edit: They are now! Still not visible through the console, but a couple of days ago a new "ListHostedZonesByVPC" API action was released along with CLI support, e.g.:
aws route53 list-hosted-zones-by-vpc --vpc-id vpc-abcdabcd --vpc-region ap-southeast-2
Thanks for the clarification!
I have a private hosted zone set up in the root account, which I want to use across the entire organization. I also have a VPN configured in the root account, and all accounts in the organization are successfully resolving DNS through it.
The way I’ve been doing it so far is by creating a private hosted zone in each account and then manually adding CNAME records in the root account’s private hosted zone. This setup works fine, but I want to automate it. Specifically, when I create a new environment using Terraform, I want to use the private hosted zone ID from the root account instead of creating a new hosted zone in each new account and manually referencing it in the root account.
Ideally, I’m looking for a way to streamline this process without the need to create and manage separate private hosted zones for each new environment.