我正在尝试在两个AWS账户之间创建一个共享的托管区域。
我已通过帐户B创建了带有以下(Lambda-B)的vpc关联授权
response = self.route53.create_vpc_association_authorization(
HostedZoneId=<Hosted Zone Id>,VPC={
'VPCRegion': <Region>,'VPCId': <VPC of account-A>
}
)
然后从帐户A尝试接受它。 (Lambda-A)
response = self.route53.associate_vpc_with_hosted_zone(
HostedZoneId=<Hosted Zone Id>,'VPCId': <VPC of account-A>
}
)
我对Lambda-A赋予了以下政策作用
accepthostedZoneAssociationRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: accepthostedZoneAssociationRolePolicy
Roles:
- Ref: accepthostedZoneAssociationRole
PolicyDocument:
Statement:
- Sid: AssociateDisassociateVPCFromHostedZone
action:
- lambda:*
- logs:*
- s3:*
- iam:PassRole
- ec2:DescribeVpcs
- route53:AssociateVPCWithHostedZone
- route53:DisassociateVPCFromHostedZone
Effect: Allow
Resource: "*"
通过CF(通过自定义资源触发)执行Lambda-A时出现以下错误。
[ERROR] 2019-11-15T00:21:30.691Z b1f7049a-0de7-4324-95ee-817abc12d3bc Create Vpc Hosted Zone association call Failed An error occurred (accessDenied) when calling the AssociateVPCWithHostedZone operation: User: arn:aws:sts::XXXX:assumed-role/Default-HostedZone-accept-accepthostedZoneAssociat-128KT4DUCVD0M/HostedZoneAssociationacceptLambda is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Z0589797H460WDVIBOBD
但是,如果我用执行失败的事件数据(附加相同的角色)测试Lambda-A,它将创建关联而不会出现问题。
谢谢