lego/docs/content/dns/zz_gen_lightsail.md
2021-05-22 11:00:25 +02:00

2.9 KiB

title date draft slug
Amazon Lightsail 2019-03-03T16:39:46+01:00 false lightsail

Since: v0.5.0

Configuration for Amazon Lightsail.

  • Code: lightsail

{{% notice note %}} Please contribute by adding a CLI example. {{% /notice %}}

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Access key ID
AWS_SECRET_ACCESS_KEY Secret access key
DNS_ZONE Domain name of the DNS zone

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LIGHTSAIL_POLLING_INTERVAL Time between DNS propagation check
LIGHTSAIL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

AWS region is not required to set as the Lightsail DNS zone is in global (us-east-1) region.

Policy

The following AWS IAM policy document describes the minimum permissions required for lego to complete the DNS challenge.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lightsail:DeleteDomainEntry",
        "lightsail:CreateDomainEntry"
      ],
      "Resource": "<Lightsail DNS zone ARN>"
    }
  ]
}

Replace the Resource value with your Lightsail DNS zone ARN. You can retrieve the ARN using aws cli by running aws lightsail get-domains --region us-east-1 (Lightsail web console does not show the ARN, unfortunately). It should be in the format of arn:aws:lightsail:global:<ACCOUNT ID>:Domain/<DOMAIN ID>. You also need to replace the region in the ARN to us-east-1 (instead of global).

Alternatively, you can also set the Resource to * (wildcard), which allow to access all domain, but this is not recommended.

More information