将跨账户委派添加到现有托管区域
Add cross account delegation to existing hosted zone
我可以像这样使用跨账户委托创建一个新的托管区域
const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'someexample.com',
crossAccountZoneDelegationPrincipal: new iam.AccountPrincipal('12345678901'),
crossAccountZoneDelegationRoleName: 'MyDelegationRole',
});
这很简单。但是如果托管区域已经存在怎么办
const parentHostedZone = route53.PublicHostedZone.fromLookup(this, 'HostedZone', {
domainName: 'someexample.com',
})
如何向该区域添加委托?
这些道具的作用只是创建一个可以在另一个帐户中承担并用于将记录添加到父区域的角色。
密码是here:
if (props.crossAccountZoneDelegationPrincipal) {
this.crossAccountZoneDelegationRole = new iam.Role(this, 'CrossAccountZoneDelegationRole', {
roleName: props.crossAccountZoneDelegationRoleName,
assumedBy: props.crossAccountZoneDelegationPrincipal,
inlinePolicies: {
delegation: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['route53:ChangeResourceRecordSets'],
resources: [this.hostedZoneArn],
}),
new iam.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
}),
],
}),
},
});
}
你可以简单地创建这个角色,它会达到同样的目的。
看起来像这样:
const crossAccountZoneDelegationRole = new iam.Role(this, 'CrossAccountZoneDelegationRole', {
roleName: 'MyDelegationRole',
assumedBy: new iam.AccountPrincipal('12345678901'),
inlinePolicies: {
delegation: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['route53:ChangeResourceRecordSets'],
resources: [parentZone.hostedZoneArn],
}),
new iam.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
}),
],
}),
},
});
然后,在另一个帐户中,您只需执行通常的操作即可。来自 docs:
// import the delegation role by constructing the roleArn
const delegationRoleArn = Stack.of(this).formatArn({
region: '', // IAM is global in each partition
service: 'iam',
account: 'parent-account-id',
resource: 'role',
resourceName: 'MyDelegationRole',
});
const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
// create the record
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
delegationRole,
});
我可以像这样使用跨账户委托创建一个新的托管区域
const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'someexample.com',
crossAccountZoneDelegationPrincipal: new iam.AccountPrincipal('12345678901'),
crossAccountZoneDelegationRoleName: 'MyDelegationRole',
});
这很简单。但是如果托管区域已经存在怎么办
const parentHostedZone = route53.PublicHostedZone.fromLookup(this, 'HostedZone', {
domainName: 'someexample.com',
})
如何向该区域添加委托?
这些道具的作用只是创建一个可以在另一个帐户中承担并用于将记录添加到父区域的角色。
密码是here:
if (props.crossAccountZoneDelegationPrincipal) {
this.crossAccountZoneDelegationRole = new iam.Role(this, 'CrossAccountZoneDelegationRole', {
roleName: props.crossAccountZoneDelegationRoleName,
assumedBy: props.crossAccountZoneDelegationPrincipal,
inlinePolicies: {
delegation: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['route53:ChangeResourceRecordSets'],
resources: [this.hostedZoneArn],
}),
new iam.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
}),
],
}),
},
});
}
你可以简单地创建这个角色,它会达到同样的目的。
看起来像这样:
const crossAccountZoneDelegationRole = new iam.Role(this, 'CrossAccountZoneDelegationRole', {
roleName: 'MyDelegationRole',
assumedBy: new iam.AccountPrincipal('12345678901'),
inlinePolicies: {
delegation: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['route53:ChangeResourceRecordSets'],
resources: [parentZone.hostedZoneArn],
}),
new iam.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
}),
],
}),
},
});
然后,在另一个帐户中,您只需执行通常的操作即可。来自 docs:
// import the delegation role by constructing the roleArn
const delegationRoleArn = Stack.of(this).formatArn({
region: '', // IAM is global in each partition
service: 'iam',
account: 'parent-account-id',
resource: 'role',
resourceName: 'MyDelegationRole',
});
const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
// create the record
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
delegationRole,
});