0

I have multiple AWS accounts managed through AWS organization. I have a generic account which is used to share resources. In this generic account, I have created a Route53 hosted zone which is related to a domain I purchased through Route53. Lets call this domain mydomain.example.

I want to wire subdomains of this main domain to different ECS services in my test and production account. For example: test.mydomain.example and production.mydomain.example. So far, so good. I've created these domains in the hosted zone in the generic account and pointed them to my load balancer (which does host based routing).

The problem now is TLS. How can I make an ACM certificate for which the validation records are stored in a hosted zone in another account? Cross account IAM seems to be implementation-specific for each AWS service.

markvdlaan93
  • 613
  • 10
  • 26
  • Why don't you just delegate the specific subdomains to Route53 hosted zones in the child accounts? – Mark B Jan 31 '22 at 15:16
  • @MarkB I can only point the main domain to one set of name servers in the domain registry. I thought the influences what I can do with the domain but that was just an assumption. – markvdlaan93 Jan 31 '22 at 15:25
  • Yeah you can only have one set of name servers on the *root* domain. You can have another set for each subdomain. – Mark B Jan 31 '22 at 15:33
  • https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html – Mark B Jan 31 '22 at 15:46
  • @MarkB How do I do that exactly? Sorry, not that well versed in DNS. Do I need to create a CNAME record for test.mydomain.example pointing to the name servers of the root domain? – markvdlaan93 Jan 31 '22 at 15:47
  • 1
    Look at the steps in the documentation I linked above. It walks you through the exact steps. – Mark B Jan 31 '22 at 15:50
  • To which name servers should me subdomain point? How is it possible that this works cross account without any additional configurations? – markvdlaan93 Jan 31 '22 at 16:05
  • This isn't even a Route53 feature, it's just a feature of DNS. There is no IAM or cross-account permission stuff involved. The questions you keep asking are spelled out at the page I linked, under the "Create a hosted zone for the subdomain, and create records in the new hosted zone" section. – Mark B Jan 31 '22 at 16:20

1 Answers1

0

I once created a solution for creating records in another account. Di did this with sns and lambdas. In my case I hade a CF creating a record and a CR triggering a lambda to publish to a sns topic in the account with the main HZ in this account I had a Lambda as a subscriber to that sns topic. And the lambda in the main account added the record in the main HZ.

Erik Asplund
  • 673
  • 4
  • 14