How can I verify domain ownership using different credentials than the one creating the ACM certificate?

[David-Jacobsen]

In short, I have a domain hosted zone in Account A. I need to deploy a cloud front website in Account B with an ACM certificate.

I have the CDK configured to write the A record to Account A to route requests to the cloud front site, and it generates the ACM certificate, however at the moment I either need to:

1. manually enter the CNAME record into Account A to validate ownership.
   or
2. Create the CNAME record in Account A via the CDK by hardcoding in the expected name/value pair, due to the validation values apparently being deterministic

Neither of which is ideal.

Also, I can’t use validationOptions.FromDNS(AccountA_HostedZone) because the identity performing the certificate request doesn’t have permission to create the CNAME records, it needs to assume a role in order to do it.

I’ve tried using a custom resource that calls describe-certification in order to return the generated validation options, but it’s failing during synth when it attempts to parse the response as JSON.

Looking into that error, lead me to triggers, but I believe I’d need to be able to pass in a parameter (the cert ARN), and that doesn’t seem possible.

So I’m back to the question in the title.

Is there a way to validate ownership of a domain when creating a cert in ACM, when the identity requesting the cert doesn’t have access to create the CNAME record but it does have access to assume a role that does have access to create the CNAME record?