我正在尝试在两个AWS账户之间创建一个共享的托管区域。

我已通过帐户B创建了带有以下（Lambda-B）的vpc关联授权

response = self.route53.create_vpc_association_authorization(
     HostedZoneId=<Hosted Zone Id>,VPC={
            'VPCRegion': <Region>,'VPCId': <VPC of account-A>
         }
)

然后从帐户A尝试接受它。 （Lambda-A）

                      response = self.route53.associate_vpc_with_hosted_zone(
     HostedZoneId=<Hosted Zone Id>,'VPCId': <VPC of account-A>
         }
)

我对Lambda-A赋予了以下政策作用

  accepthostedZoneAssociationRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: accepthostedZoneAssociationRolePolicy
      Roles:
      - Ref: accepthostedZoneAssociationRole
      PolicyDocument:
        Statement:
        - Sid: AssociateDisassociateVPCFromHostedZone
          action:
          - lambda:*
          - logs:*
          - s3:*
          - iam:PassRole
          - ec2:DescribeVpcs
          - route53:AssociateVPCWithHostedZone
          - route53:DisassociateVPCFromHostedZone
          Effect: Allow
          Resource: "*"

通过CF（通过自定义资源触发）执行Lambda-A时出现以下错误。

[ERROR] 2019-11-15T00:21:30.691Z    b1f7049a-0de7-4324-95ee-817abc12d3bc    Create Vpc Hosted Zone association call Failed An error occurred (accessDenied) when calling the AssociateVPCWithHostedZone operation: User: arn:aws:sts::XXXX:assumed-role/Default-HostedZone-accept-accepthostedZoneAssociat-128KT4DUCVD0M/HostedZoneAssociationacceptLambda is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Z0589797H460WDVIBOBD

但是，如果我用执行失败的事件数据（附加相同的角色）测试Lambda-A，它将创建关联而不会出现问题。

谢谢