Amazon web services 使用Lambda&；关联VPCWithHostedZone时出现拒绝访问错误；博托

我正在尝试在两个AWS帐户之间创建共享托管区域

我已通过账户B创建了vpc协会授权，授权内容如下：（Lambda-B）

在通过CF（通过自定义资源触发）执行Lambda-A时，我遇到了以下错误

但是，如果我使用失败执行（附加相同角色）中的事件数据测试Lambda-A，它将毫无问题地创建关联

---

谢谢

问题在于我的CF脚本接受与VPC的托管区域关联。 它在创建角色策略之前触发Lambda函数。 在向触发Lambda函数的自定义资源添加“DependsOn”属性后修复

LambdaTriggerCustomResource:
DependsOn: AcceptHostedZoneAssociationRolePolicy
Type: 'AWS::CloudFormation::CustomResource'
Version: '1.0'
Properties:
  ServiceToken: !GetAtt HostedZoneAssociationAcceptLambda.Arn

                      response = self.route53.associate_vpc_with_hosted_zone(
     HostedZoneId=<Hosted Zone Id>,
     VPC={
            'VPCRegion': <Region>,
            'VPCId': <VPC of Account-A>
         }
)

  AcceptHostedZoneAssociationRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AcceptHostedZoneAssociationRolePolicy
      Roles:
      - Ref: AcceptHostedZoneAssociationRole
      PolicyDocument:
        Statement:
        - Sid: AssociateDisassociateVPCFromHostedZone
          Action:
          - lambda:*
          - logs:*
          - s3:*
          - iam:PassRole
          - ec2:DescribeVpcs
          - route53:AssociateVPCWithHostedZone
          - route53:DisassociateVPCFromHostedZone
          Effect: Allow
          Resource: "*"

[ERROR] 2019-11-15T00:21:30.691Z    b1f7049a-0de7-4324-95ee-817abc12d3bc    Create Vpc Hosted Zone association call Failed An error occurred (AccessDenied) when calling the AssociateVPCWithHostedZone operation: User: arn:aws:sts::XXXX:assumed-role/Default-HostedZone-Accept-AcceptHostedZoneAssociat-128KT4DUCVD0M/HostedZoneAssociationAcceptLambda is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Z0589797H460WDVIBOBD

LambdaTriggerCustomResource:
DependsOn: AcceptHostedZoneAssociationRolePolicy
Type: 'AWS::CloudFormation::CustomResource'
Version: '1.0'
Properties:
  ServiceToken: !GetAtt HostedZoneAssociationAcceptLambda.Arn