forked from TrueCloudLab/lego
Route 53: Update IAM policy example to grant least privilege access (#1727)
This commit is contained in:
parent
7cfa075581
commit
6c75aaa9a4
2 changed files with 156 additions and 48 deletions
|
@ -80,16 +80,20 @@ See also:
|
|||
- [Setting AWS Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)
|
||||
- [Setting AWS Region](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-the-region)
|
||||
|
||||
## Policy
|
||||
## IAM Policy Examples
|
||||
|
||||
The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.
|
||||
### Broad privileges for testing purposes
|
||||
|
||||
The following [IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) document grants access to the required APIs needed by lego to complete the DNS challenge.
|
||||
A word of caution:
|
||||
These permissions grant write access to any DNS record in any hosted zone,
|
||||
so it is recommended to narrow them down as much as possible if you are using this policy in production.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:GetChange",
|
||||
|
@ -102,7 +106,6 @@ The following AWS IAM policy document describes the permissions required for leg
|
|||
]
|
||||
},
|
||||
{
|
||||
"Sid": "",
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:ListHostedZonesByName",
|
||||
"Resource": "*"
|
||||
|
@ -111,6 +114,57 @@ The following AWS IAM policy document describes the permissions required for leg
|
|||
}
|
||||
```
|
||||
|
||||
### Least privilege policy for production purposes
|
||||
|
||||
The following AWS IAM policy document describes least privilege permissions required for lego to complete the DNS challenge.
|
||||
Write access is limited to a specified hosted zone's DNS TXT records with a key of `_acme-challenge.example.com`.
|
||||
Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with your domain name to use this policy.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:GetChange",
|
||||
"Resource": "arn:aws:route53:::change/*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:ListHostedZonesByName",
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:ListResourceRecordSets"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:ChangeResourceRecordSets"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
||||
],
|
||||
"Condition": {
|
||||
"ForAllValues:StringEquals": {
|
||||
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
|
||||
"_acme-challenge.example.com"
|
||||
],
|
||||
"route53:ChangeResourceRecordSetsRecordTypes": [
|
||||
"TXT"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -28,16 +28,20 @@ See also:
|
|||
- [Setting AWS Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)
|
||||
- [Setting AWS Region](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-the-region)
|
||||
|
||||
## Policy
|
||||
## IAM Policy Examples
|
||||
|
||||
The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.
|
||||
### Broad privileges for testing purposes
|
||||
|
||||
The following [IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) document grants access to the required APIs needed by lego to complete the DNS challenge.
|
||||
A word of caution:
|
||||
These permissions grant write access to any DNS record in any hosted zone,
|
||||
so it is recommended to narrow them down as much as possible if you are using this policy in production.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:GetChange",
|
||||
|
@ -50,7 +54,6 @@ The following AWS IAM policy document describes the permissions required for leg
|
|||
]
|
||||
},
|
||||
{
|
||||
"Sid": "",
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:ListHostedZonesByName",
|
||||
"Resource": "*"
|
||||
|
@ -59,6 +62,57 @@ The following AWS IAM policy document describes the permissions required for leg
|
|||
}
|
||||
```
|
||||
|
||||
### Least privilege policy for production purposes
|
||||
|
||||
The following AWS IAM policy document describes least privilege permissions required for lego to complete the DNS challenge.
|
||||
Write access is limited to a specified hosted zone's DNS TXT records with a key of `_acme-challenge.example.com`.
|
||||
Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with your domain name to use this policy.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:GetChange",
|
||||
"Resource": "arn:aws:route53:::change/*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "route53:ListHostedZonesByName",
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:ListResourceRecordSets"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"route53:ChangeResourceRecordSets"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
||||
],
|
||||
"Condition": {
|
||||
"ForAllValues:StringEquals": {
|
||||
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
|
||||
"_acme-challenge.example.com"
|
||||
],
|
||||
"route53:ChangeResourceRecordSetsRecordTypes": [
|
||||
"TXT"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
'''
|
||||
|
||||
[Configuration]
|
||||
|
|
Loading…
Reference in a new issue