Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-certificatemanager): Cannot pass role to ACM DnsValidatedCertificate

See original GitHub issue

❓ General Issue

The Question

Why is the CertificateRequestorFunction failing due to “Cross-account pass role is not allowed”?

I’m getting a role by ARN (from another account with the hosted zone) and passing it to ACM DnsValidatedCertificate as the customResourceRole. The CertificateRequestorFunction fails due to “Cross-account pass role is not allowed”.

The role’s trust policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Here’s a snippet of the stack code:

// Update Hosted Zone Role
const hostedZoneRoleArn = 'arn:aws:iam::123456789012:role/UpdateHostedZoneRole';
const hostedZoneRole = iam.Role.fromRoleArn(this, 'UpdateHostedZoneRole', hostedZoneRoleArn, {
  mutable: true,
});

// ACM Certificate
const certificate = new acm.DnsValidatedCertificate(this, 'Certificate', {
  domainName: 'domainname.com',
  hostedZone: hostedZone,
  region: 'us-east-1',
  customResourceRole: hostedZoneRole
});

Why is the CertificateRequestorFunction failing due to “Cross-account pass role is not allowed”?

Environment

CDK CLI Version: 1.85.0
Module Version: 1.85.0
Node.js Version: 12.18.3 & 14.15.1
OS: Windows 10 20H2 & Ubuntu 18.04.5
Language (Version): TypeScript 3.9.7

Other information

Stack trace: 0/15 | 1:58:59 AM | CREATE_FAILED | AWS::Lambda::Function | ***Certificate/CertificateRequestorFunction (***CertificateCertificateRequestorFunctionAA2C865E) Cross-account pass role is not allowed. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: ***; Proxy: null)

Issue Analytics

State:
Created 3 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

2reactions

lober-iocommented, Jan 23, 2021

It is a common pattern - but to do so the lambda needs to support this and this is currently not the case. Imho it shouldn’t be a big effort to implement it. I will take a Look if I can create a pr for this.

0reactions

github-actions[bot]commented, Feb 8, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Top Results From Across the Web

aws-cdk/aws-certificatemanager module - AWS Documentation

AWS Certificate Manager (ACM) handles the complexity of creating, storing, ... same CDK application, simply pass the Certificate object between the stacks.

awscertificatemanager - Go Packages

AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect ...

AWS Certificate Manager DNS Validation method not working ...

I am trying to create an SSL Certificate through the AWS PHP API by running the code below. The Certificate gets created, the...

@aws-cdk/aws-certificatemanager - npm

AWS Certificate Manager (ACM) handles the complexity of creating, storing, ... The DnsValidatedCertificate construct exists to facilitate ...

Tag Archives: AWS Certificate Manager - Noise

ECDSA certificates could be imported to ACM, but imported certificates cannot use managed renewal. You can request both ECDSA P-256 and P-384 certificates...