forked from TrueCloudLab/lego
143 lines
5.2 KiB
TOML
143 lines
5.2 KiB
TOML
Name = "Amazon Route 53"
|
|
Description = ''''''
|
|
URL = "https://aws.amazon.com/route53/"
|
|
Code = "route53"
|
|
Since = "v0.3.0"
|
|
|
|
Example = '''
|
|
AWS_ACCESS_KEY_ID=your_key_id \
|
|
AWS_SECRET_ACCESS_KEY=your_secret_access_key \
|
|
AWS_REGION=aws-region \
|
|
AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
|
|
lego --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run
|
|
'''
|
|
|
|
Additional = '''
|
|
## Description
|
|
|
|
AWS Credentials are automatically detected in the following locations and prioritized in the following order:
|
|
|
|
1. Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, [`AWS_SESSION_TOKEN`]
|
|
2. Shared credentials file (defaults to `~/.aws/credentials`, profiles can be specified using `AWS_PROFILE`)
|
|
3. Amazon EC2 IAM role
|
|
|
|
The AWS Region is automatically detected in the following locations and prioritized in the following order:
|
|
|
|
1. Environment variables: `AWS_REGION`
|
|
2. Shared configuration file if `AWS_SDK_LOAD_CONFIG` is set (defaults to `~/.aws/config`, profiles can be specified using `AWS_PROFILE`)
|
|
|
|
If `AWS_HOSTED_ZONE_ID` is not set, Lego tries to determine the correct public hosted zone via the FQDN.
|
|
|
|
See also:
|
|
|
|
- [sessions](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/sessions.html)
|
|
- [Setting AWS Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)
|
|
- [Setting AWS Region](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-the-region)
|
|
|
|
## IAM Policy Examples
|
|
|
|
### Broad privileges for testing purposes
|
|
|
|
The following [IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) document grants access to the required APIs needed by lego to complete the DNS challenge.
|
|
A word of caution:
|
|
These permissions grant write access to any DNS record in any hosted zone,
|
|
so it is recommended to narrow them down as much as possible if you are using this policy in production.
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:GetChange",
|
|
"route53:ChangeResourceRecordSets",
|
|
"route53:ListResourceRecordSets"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:route53:::hostedzone/*",
|
|
"arn:aws:route53:::change/*"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:ListHostedZonesByName",
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
### Least privilege policy for production purposes
|
|
|
|
The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge.
|
|
Write access is limited to a specified hosted zone's DNS TXT records with a key of `_acme-challenge.example.com`.
|
|
Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with your domain name to use this policy.
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:GetChange",
|
|
"Resource": "arn:aws:route53:::change/*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:ListHostedZonesByName",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:ListResourceRecordSets"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
|
]
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:ChangeResourceRecordSets"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:route53:::hostedzone/Z11111112222222333333"
|
|
],
|
|
"Condition": {
|
|
"ForAllValues:StringEquals": {
|
|
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
|
|
"_acme-challenge.example.com"
|
|
],
|
|
"route53:ChangeResourceRecordSetsRecordTypes": [
|
|
"TXT"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
```
|
|
'''
|
|
|
|
[Configuration]
|
|
[Configuration.Credentials]
|
|
AWS_ACCESS_KEY_ID = "Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
|
|
AWS_SECRET_ACCESS_KEY = "Managed by the AWS client. Secret access key (`AWS_SECRET_ACCESS_KEY_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
|
|
AWS_REGION = "Managed by the AWS client (`AWS_REGION_FILE` is not supported)"
|
|
AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
|
|
AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
|
|
AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
|
|
AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)"
|
|
AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
|
|
[Configuration.Additional]
|
|
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
|
|
AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"
|
|
AWS_POLLING_INTERVAL = "Time between DNS propagation check"
|
|
AWS_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
|
|
AWS_TTL = "The TTL of the TXT record used for the DNS challenge"
|
|
|
|
[Links]
|
|
API = "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
|
|
GoClient = "https://github.com/aws/aws-sdk-go-v2"
|