pogpp/lego
1
0
Fork 0
forked from TrueCloudLab/lego
Code Pull requests Activity
lego/docs/content/dns/zz_gen_route53.md
Ludovic Fernandez 7c680a2438
Adds 'Since' to DNS providers documentation (#854)
2019-04-17 21:32:38 +02:00

3.1 KiB
Raw Blame History

title date draft slug
Amazon Route 53 2019-03-03T16:39:46+01:00 false route53

Since: v0.3.0

Configuration for Amazon Route 53.

  • Code: route53

{{% notice note %}} Please contribute by adding a CLI example. {{% /notice %}}

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Managed by the AWS client
AWS_HOSTED_ZONE_ID Override the hosted zone ID
AWS_REGION Managed by the AWS client
AWS_SECRET_ACCESS_KEY Managed by the AWS client

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AWS_MAX_RETRIES The number of maximum returns the service will use to make an individual API request
AWS_POLLING_INTERVAL Time between DNS propagation check
AWS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation
AWS_TTL The TTL of the TXT record used for the DNS challenge

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials)
  3. Amazon EC2 IAM role

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also: sessions

Policy

The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": [
               "route53:GetChange",
               "route53:ChangeResourceRecordSets",
               "route53:ListResourceRecordSets"
           ],
           "Resource": [
               "arn:aws:route53:::hostedzone/*",
               "arn:aws:route53:::change/*"
           ]
       },
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": "route53:ListHostedZonesByName",
           "Resource": "*"
       }
   ]
}

More information