pogpp/lego
1
0
Fork 0
forked from TrueCloudLab/lego
Code Pull requests Activity
lego/providers/dns/lightsail/lightsail.toml
Clement Jean 2a194d6ab9
aws: detailed credentials (#1439) 
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
2021-06-28 01:31:18 +00:00

59 lines
2.2 KiB
TOML
Raw Blame History

Name = "Amazon Lightsail"
Description = ''''''
URL = "https://aws.amazon.com/lightsail/"
Code = "lightsail"
Since = "v0.5.0"
Example = ''''''
Additional = '''
## Description
AWS Credentials are automatically detected in the following locations and prioritized in the following order:
1. Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, [`AWS_SESSION_TOKEN`]
2. Shared credentials file (defaults to `~/.aws/credentials`, profiles can be specified using `AWS_PROFILE`)
3. Amazon EC2 IAM role
AWS region is not required to set as the Lightsail DNS zone is in global (us-east-1) region.
## Policy
The following AWS IAM policy document describes the minimum permissions required for lego to complete the DNS challenge.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lightsail:DeleteDomainEntry",
"lightsail:CreateDomainEntry"
],
"Resource": "<Lightsail DNS zone ARN>"
}
]
}
```
Replace the `Resource` value with your Lightsail DNS zone ARN.
You can retrieve the ARN using aws cli by running `aws lightsail get-domains --region us-east-1` (Lightsail web console does not show the ARN, unfortunately).
It should be in the format of `arn:aws:lightsail:global:<ACCOUNT ID>:Domain/<DOMAIN ID>`.
You also need to replace the region in the ARN to `us-east-1` (instead of `global`).
Alternatively, you can also set the `Resource` to `*` (wildcard), which allow to access all domain, but this is not recommended.
'''
[Configuration]
[Configuration.Credentials]
AWS_ACCESS_KEY_ID = "Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
AWS_SECRET_ACCESS_KEY = "Managed by the AWS client. Secret access key (`AWS_SECRET_ACCESS_KEY_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
DNS_ZONE = "Domain name of the DNS zone"
[Configuration.Additional]
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
LIGHTSAIL_POLLING_INTERVAL = "Time between DNS propagation check"
LIGHTSAIL_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
[Links]
GoClient = "https://github.com/aws/aws-sdk-go/"
View git blame Copy permalink