Request Certificate in account A for a domain hosted in account B with DNS validation

[konstantinj]

It should be possible to create certificates for domains that are hosted in different accounts.

Use Case

We're having accounts per teams as most aws customers I believe. In our main account we're having our main company domain which is used for most public services. Currently we're already using a lambda function to create and validate a certificate. It runs in the teams account has has access to the main account with a role.

Proposed Solution

The lambda function provided by cdk does the creation of the cert and the route53 record for validation in the same account. Being able to pass a role for the other account would be one solution.

Another solution would be to easily define a custom lambda function. Then we would be able to use the rest of cdk but our own lambda logic.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[rix0rrr]

I have a hard time seeing how we will be able to provide this functionality in core. It might be good as an external construct library, but this seems too narrowly focused to be in core.

Since the validated certfiicate you seem to want to use is exclusively a custom resource, I think there's hardly any logic to reuse. I would encourage you to fork off the resource in a new package and build customized logic that will authenticate to a different account.

Closing as a "wont fix" for now.

[kmturley]

I need this feature too. It's common to centralize Domain names and certificates in a single AWS Account.
Tried using Resource Access Manager, but it doesn't allowing sharing of Domain Names and Certificates cross-account

This seems to be the best solution currently:
https://stackoverflow.com/questions/58101817/cdk-dnsvalidatedcertificate-can-create-a-certificate-in-a-linked-aws-account-w