(route53): cross account zone delegations of more than one zone fail #17836
Description
What is the problem?
trying to delegate more than one subzone to zones in other aws accounts fails
Reproduction Steps
- create parent zones cdk app in parent_zone_account
change principle to sub_zone_account principle, deploy and get roleArns from stack outputs
import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';
import { Construct, CfnOutput, Stack, StackProps } from '@aws-cdk/core';
export class ParentZonesStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const crossAccountZoneDelegationPrincipal = new iam.AccountPrincipal('111111111111')
const parentZone1 = new route53.PublicHostedZone(this, 'HostedZone1', {
zoneName: 'domain1.com',
crossAccountZoneDelegationPrincipal,
});
const parentZone2 = new route53.PublicHostedZone(this, 'HostedZone2', {
zoneName: 'domain2.com',
crossAccountZoneDelegationPrincipal,
});
new CfnOutput(this, 'zone1RoleArn', { value: parentZone1.crossAccountZoneDelegationRole?.roleArn || '' });
new CfnOutput(this, 'zone2RoleArn', { value: parentZone2.crossAccountZoneDelegationRole?.roleArn || '' });
}
}- deploy subzones app in sub_zone_account
update roleArns and deploy cdk app
import * as cdk from '@aws-cdk/core';
import * as iam from '@aws-cdk/aws-iam';
import * as route53 from '@aws-cdk/aws-route53';
export class SubZonesStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const zone1RoleArn = '<arn1 from stack output>'
const zone2RoleArn = '<arn2 from stack output>'
new Zone(this, 'zone1', {
name: 'domain1.com',
arn: zone1RoleArn,
})
new Zone(this, 'zone2', {
name: 'domain2.com',
arn: zone2RoleArn,
})
}
}
export class Zone extends cdk.Construct {
public constructor(scope: cdk.Construct, id: string, props: {arn: string, name: string}) {
super(scope, id);
const {arn, name} = props
const role = iam.Role.fromRoleArn(this, `role${name}`, arn);
const subZone = new route53.PublicHostedZone(this, `zone${name}`, {
zoneName: `sub.${name}`,
});
new route53.CrossAccountZoneDelegationRecord(this, `delegate${name}`, {
delegatedZone: subZone,
parentHostedZoneName: name,
delegationRole: role,
});
}
}What did you expect to happen?
I expected both delegation NS records to be created in both parent zones
What actually happened?
the subZone stack failed with an Access denied error
6:39:34 PM | CREATE_FAILED | Custom::CrossAccountZoneDelegation | zone2/delegatedoma...omResource/Default
Received response status [FAILED] from custom resource. Message returned: AccessDenied: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/SubZonesStack-CustomCrossAccountZoneDelegationCust-TL400
5A93THW/SubZonesStack-CustomCrossAccountZoneDelegationCust-aHcKaNjM2AZe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXX:role/ParentZonesStack-HostedZone2
CrossAccountZoneDelega-HKID8J9JJRWB
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) (RequestId: a470258f-86af-4521-ac52-8ca4fc610846)
CDK CLI Version
1.134.0 (build dd5e12d)
Framework Version
1.134.0
Node.js Version
v14.18.1
OS
linux
Language
Typescript
Language Version
No response
Other information
No response