hi folks smile how do I use an amazon issued SSL certificate Pulumi Community #getting-started

hi folks :smile: how do I use an amazon-issued SSL...

magnificent-soccer-44287

11/19/2023, 11:31 PM

hi folks 😄 how do I use an amazon-issued SSL certificate in a shared aws account in a different aws account? (this is for CloudFront, based on what I read there is some special mechanism for this in AWS but i cant get it to work)

magnificent-soccer-44287

11/20/2023, 12:20 AM

this is so dumb... someone please help. in this code:

Copy code

const domainCertificate = new aws.acm.Certificate(pre('domain-cert'), {
    domainName,
    validationMethod: "DNS",
});

const certValidation = new aws.route53.Record(pre('certValidation'), rootZoneId.apply(zoneId => {
    return {
        name: domainCertificate.domainValidationOptions[0].resourceRecordName,
        zoneId: rootZoneId,
        type: domainCertificate.domainValidationOptions[0].resourceRecordType,
        records: [domainCertificate.domainValidationOptions[0].resourceRecordValue],
        ttl: 60,
    }
}), { provider: sharedAccountProvider});

const certValidationOption = new aws.acm.CertificateValidation("certValidationOption", {
    certificateArn: domainCertificate.arn,
    validationRecordFqdns: [certValidation.fqdn],
}, { provider: sharedAccountProvider } );

when it comes to "certValidationOption"... domainCertificate is in my subaccount certValidation is in the shared account how do I look for CertificateValidation when the fqdn is in the parent account but the validation is in the subaccount?

magnificent-soccer-44287

11/20/2023, 12:20 AM

i just need to access or somehow generate (dont care how at this point) an ACM cert for CloudFront in per-env subaccounts when the domain zone is in a shared account. have spent 7 hours on this so far

magnificent-soccer-44287

11/20/2023, 12:23 AM

tried creating a wildcard ACM cert in the shared account too, appears to be no way to import/use them in the subaccounts. shared role permissions keep saying it needs acm:ListCertificates when ive granted that permission to the shared role

magnificent-soccer-44287

11/20/2023, 12:40 AM

i dont get it; cross-account policy (that i know works because i use it right below this):

Copy code

{
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "acm:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:route53:::hostedzone/id",
                "arn:aws:route53:::hostedzone/id",
                "arn:aws:acm:*",
                "arn:aws:route53:::change/*"
            ]
        }
    ],

error in the code:

Copy code

is not authorized to perform: acm:ListCertificates because no identity-based policy allows the acm:ListCertificates action

😭

gifted-gigabyte-53859

11/22/2023, 1:58 AM

Without reading too deeply into what you've done, tou'll need to give the child accounts permission to access the cert

gifted-gigabyte-53859

11/22/2023, 1:59 AM

Also make sure you've set up DNS delegation from the main to the sub accounts, if you're using DNS Validation

magnificent-soccer-44287

11/22/2023, 1:59 AM

so, I created a role that can access that certificate and used it to import the cert into the stack itself

magnificent-soccer-44287

11/22/2023, 1:59 AM

I still cant mount the imported cert onto resources in the subaccount

magnificent-soccer-44287

11/22/2023, 2:00 AM

my CDN cert has to be us-east-1 but i created an aux cert in the same AZ as my sub account (us-west-2) and no dice 😞

Open in Slack

Previous Next