By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Shared Route53 Profiles and Private Hosted Zone association

0

Hello

I have Route53 Profile shared from my networkHub account with other accounts in my Organization. There is Private Hosted zone associated with Route53 profile on NetworkHub account. However when I'm trying to associate Private Hosted Zone on my spoke account with a shared Route53 profile I receive the following error:

User: arn:aws:sts::<spoke_account_id>:assumed-role/AWSReservedSSO_AdministratorAccess_10923d30c25f1bd5/<username> is not authorized to perform: route53profiles:AssociateResourceToProfile on resource: arn:aws:route53profiles:eu-central-1:<networkhub_account_id>:profile/<profile_id>

The same user can associate VPC with the same Route53 profile.

Requests recorded by cloudtrail are different for VPC and Hoste Zone: VPC:

"requestParameters": {
        "ProfileId": "rp-00000000000",
        "ResourceId": "vpc-000000000000",
        "Name": "vpc-000000000000"
    },

Hosted Zone

"requestParameters": {
        "ProfileId": "rp-00000000000",
        "ResourceArn": "arn:aws:route53:::hostedzone/<hosted_zone_id>",
        "Name": "<hosted_zone_id>"
    },

API parameters https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html doesn't mention about ResourceId parameter.

Topics
Networking & Content Delivery
Tags
Amazon Route 53Route 53 Private DNS
Language
English
Tomasz Bres
asked 2 months ago119 views
3 Answers
0

The issue you're experiencing is related to the permissions and ownership of the resources you're trying to associate with the shared Route 53 Profile.

When a Route 53 Profile is shared from one account (in this case, your networkHub account) to other accounts in your organization, the consumers of the shared profile typically have read-only permissions by default. They can associate their own resources (like VPCs) with the shared profile, but they cannot manage or associate resources that belong to other accounts.

In your case, you're able to associate a VPC from your spoke account with the shared Route 53 Profile because the VPC belongs to that account. However, you're encountering an error when trying to associate a Private Hosted Zone because the Private Hosted Zone likely belongs to the networkHub account (where the Route 53 Profile was created), not the spoke account.

The error message indicates that the user in the spoke account doesn't have the necessary permissions to perform the AssociateResourceToProfile action on the Route 53 Profile resource in the networkHub account. This is expected behavior, as the ability to associate resources like Private Hosted Zones is typically reserved for the account that owns the Route 53 Profile.

To resolve this issue, you have a few options:

  1. If the Private Hosted Zone belongs to the networkHub account, you should perform the association from that account, not from the spoke account.

  2. If you need to manage Private Hosted Zones from the spoke accounts, you may need to create and manage these zones within those accounts, rather than trying to associate zones from other accounts.

  3. If it's necessary for spoke accounts to associate Private Hosted Zones owned by other accounts, you would need to grant additional permissions to the spoke accounts. However, this is not a standard use case and may require careful consideration of your security and management needs.

The difference in the CloudTrail logs between VPC and Hosted Zone associations reflects the different types of resources being associated. VPCs use a ResourceId parameter, while Hosted Zones use a ResourceArn parameter, which is consistent with the API documentation you referenced.

In summary, the permissions model for Route 53 Profiles is designed to allow shared access while maintaining clear ownership and control boundaries between accounts. The behavior you're seeing is in line with these design principles.
Sources
Working with shared Route 53 Profiles - Amazon Route 53
Community | AWS Route53 Profile - A Deeper look into Centralized DNS Configuration and Governance Solution

profile picture
re:Post Agent
answered 2 months ago
0

Hello Thanks for your answer, however Private Hosted Zone which is failing belongs to the spoke account. I'm issuing AssociateResourceToProfile command on spoke Account. I'm trying to implement this solution: https://intuitive.cloud/blog/achieving-cross-account-dns-resolution-on-aws-using-route-53

Tomasz Bres
answered 2 months ago
0

Hello I've foud the source of my issue and I think there is a bug (or inconsistency) in RAM for route53profiles:Profile resource.

RAM provides "Managed permissions library" with predefined "AWSRAMPermissionRoute53ProfileAllowAssociation" permission.

This permission includes 6 actions:

  • route53profiles:AssociateProfile
  • route53profiles:DisassociateProfile
  • route53profiles:GetProfile
  • route53profiles:ListProfileAssociations
  • route53profiles:ListProfileResourceAssociations
  • route53profiles:ListProfiles

The missing actions are:

  • route53profiles:AssociateResourceToProfile
  • route53profiles:DisassociateResourceFromProfile
  • route53profiles:UpdateProfileResourceAssociation

I've created custom permission for route53profiles:Profile resource with missing actions and I was able to associate Route53 Private Hosted Zone on Spoke account with shared Route53 Profile.

However:

With missing route53profiles:*ResourceToProfile actions in default AWSRAMPermissionRoute53ProfileAllowAssociation I was able to AssociateResourceToProfile for VPC.

How it's possilbe when route53profiles:AssociateResourceToProfile is missing from AWSRAMPermissionRoute53ProfileAllowAssociation?

BR Tomasz Bres

Tomasz Bres
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content