3

Summary: I've got permissions issues associating a private DNS Hosted Zone across accounts in the same AWS region

I have two AWS accounts, and in each I've created a VPC and servers etc. The first account (11112222) provides some services from a private subnet, with a private DNS Hosted Zone etc.

I'd like to provide DNS lookups of the services on my private subnet to my second account (22223333) which has a 'project' VPC and servers in it. I have created a Peering Connection from the project to the services VPC, and have accepted it on the services VPC side, setup routes, etc.

For DNS, I have created an Association Authorisation by running this command: aws route53 create-vpc-association-authorization --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-012345678

I can verify that it's done something with the list-vpc-association-authorizations.

Over on the 'services' VPC, I'm struggling to 'accept' the association. I'm running: aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-abcdef01234

However, this says: An error occurred (AccessDenied) when calling the AssociateVPCWithHostedZone operation: User: arn:aws:sts::22223333:assumed-role/devops/ralph is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Z333AEF1GGC

Obviously I did a load of googling and found https://forums.aws.amazon.com/thread.jspa?threadID=243780 which says I also need ec2:DescribeVPCs. Our account permissions are fairly simple, in so much as my assumed role has "Allow *" on it (and just a few Denies for some IAM operations). I've tried to explicitly add in the two permissions, with and without specifically naming the hosted zone ARN. Nothing seems to work though.

I feel like I must be missing something pretty obvious here - any ideas what it might be? Is there a better way to achieve what I'm trying to do?

Additional Information (due to comments)

  • We use 2FA for all our user accounts, and then 'assume' a role to perform any actions on our accounts (assuming a role requires 2FA authentication). There are no technical requirements to use 2FA though. Our individual user accounts have almost no permissions to do anything directly.
Ralph Bolton
  • 257
  • 3
  • 9
  • Your usage is correct. Have you verified that you use an AWS profile in the account 22223333? Are there additional limitations in place, e.g. the necessity for a MFA enabled session to associate a VPC? This could possible result in this error message. – M. Glatki May 14 '18 at 12:13

2 Answers2

1

I believe that I have made the same mistake as Ralph, but I will endeavor to better explain it.

For both the create-vpc-association-authorization and associate-vpc-with-hosted-zone commands you need to use the same values for --hosted-zone-id [the source zone ID you want to share] and --vpc [the destination VPC].

The only thing that differs should be the credentials.

The thing that I did wrong, that I think is an easy trap to fall in, is assume that the VPC in the source account mattered at all in this. Because it does not.

eg, using account profiles:

aws --profile source_account \
  route53 create-vpc-association-authorization \
  --hosted-zone-id Z00000000000000012345 \
  --vpc VPCRegion=us-west-2,VPCId=vpc-000000000000asdf

aws --profile destination_account \
  route53 associate-vpc-with-hosted-zone \
  --hosted-zone-id Z00000000000000012345 \
  --vpc VPCRegion=us-west-2,VPCId=vpc-000000000000asdf

Where Z00000000000000012345 belongs to source_account, and vpc-000000000000asdf belongs to destination_account.

Think of it as the source account asking "Can I please attach my zone to your VPC?" and the destination answering "Yes, you can attach that zone to my VPC.".

Sammitch
  • 2,111
  • 1
  • 21
  • 35
1

Thanks for your help on this. I think we can put this down to "user error". My mistake was: aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-012345678 ...should have in fact been: aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z333AEF1GGC --vpc VPCRegion=eu-west-1,VPCId=vpc-abcdef01234

I'd used the HZ-side's VPC ID in the command, where the instructions do indeed say to use the “account B” (ie. the 'remote' side). I'd even managed to anonymise the commands in the question correctly. I feel a bit silly now ;-(

Ralph Bolton
  • 257
  • 3
  • 9
  • Had come across a similar issue, I don't have the 2FA as well, But still unable to create the route association. Tried your command as well, But no hope.. – Manikandan Ram May 26 '22 at 07:06