https://pulumi.com logo
Powered by
#getting-started
Title
# getting-started
m

magnificent-soccer-44287

11/19/2023, 11:31 PM
hi folks 😄 how do I use an amazon-issued SSL certificate in a shared aws account in a different aws account? (this is for CloudFront, based on what I read there is some special mechanism for this in AWS but i cant get it to work)
this is so dumb... someone please help. in this code:
Copy code
const domainCertificate = new aws.acm.Certificate(pre('domain-cert'), {
    domainName,
    validationMethod: "DNS",
});

const certValidation = new aws.route53.Record(pre('certValidation'), rootZoneId.apply(zoneId => {
    return {
        name: domainCertificate.domainValidationOptions[0].resourceRecordName,
        zoneId: rootZoneId,
        type: domainCertificate.domainValidationOptions[0].resourceRecordType,
        records: [domainCertificate.domainValidationOptions[0].resourceRecordValue],
        ttl: 60,
    }
}), { provider: sharedAccountProvider});

const certValidationOption = new aws.acm.CertificateValidation("certValidationOption", {
    certificateArn: domainCertificate.arn,
    validationRecordFqdns: [certValidation.fqdn],
}, { provider: sharedAccountProvider } );
when it comes to "certValidationOption"... domainCertificate is in my subaccount certValidation is in the shared account how do I look for CertificateValidation when the fqdn is in the parent account but the validation is in the subaccount?
i just need to access or somehow generate (dont care how at this point) an ACM cert for CloudFront in per-env subaccounts when the domain zone is in a shared account. have spent 7 hours on this so far
tried creating a wildcard ACM cert in the shared account too, appears to be no way to import/use them in the subaccounts. shared role permissions keep saying it needs acm:ListCertificates when ive granted that permission to the shared role
i dont get it; cross-account policy (that i know works because i use it right below this):
Copy code
{
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "acm:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:route53:::hostedzone/id",
                "arn:aws:route53:::hostedzone/id",
                "arn:aws:acm:*",
                "arn:aws:route53:::change/*"
            ]
        }
    ],
error in the code:
Copy code
is not authorized to perform: acm:ListCertificates because no identity-based policy allows the acm:ListCertificates action
😭
g

gifted-gigabyte-53859

11/22/2023, 1:58 AM
Without reading too deeply into what you've done, tou'll need to give the child accounts permission to access the cert
Also make sure you've set up DNS delegation from the main to the sub accounts, if you're using DNS Validation
m

magnificent-soccer-44287

11/22/2023, 1:59 AM
so, I created a role that can access that certificate and used it to import the cert into the stack itself
I still cant mount the imported cert onto resources in the subaccount
my CDN cert has to be us-east-1 but i created an aux cert in the same AZ as my sub account (us-west-2) and no dice 😞
Powered by