Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STS configurability for Route53 dependent actions #3470

Closed
1 of 5 tasks
PhilKershaw opened this issue Jul 29, 2019 · 4 comments
Closed
1 of 5 tasks

STS configurability for Route53 dependent actions #3470

PhilKershaw opened this issue Jul 29, 2019 · 4 comments
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager @aws-cdk/aws-iam Related to AWS Identity and Access Management effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. p2

Comments

@PhilKershaw
Copy link

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?

From a Control Tower managed estate, attempting to create a DNS Validated ACM Certificate using:

new cert.DnsValidatedCertificate(this, 'certId', {
    domainName: 'example.com',
    hostedZone: hostedZone,
    region: this.region
})

Amongst other things, a role is assumed in order to Upsert DNS records to Route53. This fails with an access error:

Caught error AccessDenied: User: arn:aws:sts::[accountId]:assumed-role/[role name] is not authorized to access this resource. Uploading FAILED message to S3.

This is due to the Hosted Zone residing within the master account whilst attempting to deploy to a separate production account.

Note, custom policies/roles manually added to IAM and an STS policy added to the SSO Permission Set have been added to no avail.

  • What is the expected behavior (or behavior of feature suggested)?

Allowing the attachment of custom policies to the built-in assumed role or allowing over-riding of said role.

  • What is the motivation / use case for changing the behaviour or adding this feature?

Use case: As mentioned above, we manage the AWS estate with AWS Control Tower and have separate accounts for different business functions. DNS management happens to be in the management account but we'd need to enable access from other accounts in order to manage DNS records as public facing stacks need.

  • Please tell us about your environment:

    • CDK CLI Version: 1.2.0
    • Module Version: 1.2.0
    • OS: OSX Mojave
    • Language: JavaScript
@PhilKershaw PhilKershaw added the needs-triage This issue or PR still needs to be triaged. label Jul 29, 2019
@NGL321 NGL321 added feature-request A feature should be added or improved. @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager @aws-cdk/aws-iam Related to AWS Identity and Access Management and removed needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2019
@PhilKershaw PhilKershaw mentioned this issue Aug 9, 2019
Closed
5 tasks
@rix0rrr rix0rrr assigned skinny85 and unassigned rix0rrr Jan 23, 2020
@skinny85 skinny85 added the effort/large Large work item – several weeks of effort label Feb 6, 2020
@tleef tleef mentioned this issue Apr 15, 2020
Closed
@SomayaB SomayaB assigned njlynch and unassigned skinny85 Jul 10, 2020
@njlynch njlynch added the p2 label Aug 25, 2020
@sachin10101998
Copy link

+1 . The role should be allowed to be overridden.

@TheRealAmazonKendra
Copy link
Contributor

We are deprecating DnsValidatedCertificate. If you experience this issue in another context, please open a new issue.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@TheRealAmazonKendra
Copy link
Contributor

For reference: #21982

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager @aws-cdk/aws-iam Related to AWS Identity and Access Management effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@skinny85 @rix0rrr @PhilKershaw @njlynch @NGL321 @sachin10101998 @TheRealAmazonKendra