lego/docs/content/dns/zz_gen_route53.md
2024-05-09 21:05:21 +02:00

6.4 KiB

title date draft slug dnsprovider
Amazon Route 53 2019-03-03T16:39:46+01:00 false route53
since code url
v0.3.0 route53 https://aws.amazon.com/route53/

Configuration for Amazon Route 53.

  • Code: route53
  • Since: v0.3.0

Here is an example bash command using the Amazon Route 53 provider:

AWS_ACCESS_KEY_ID=your_key_id \
AWS_SECRET_ACCESS_KEY=your_secret_access_key \
AWS_REGION=aws-region \
AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
lego --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Managed by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_ASSUME_ROLE_ARN Managed by the AWS Role ARN (AWS_ASSUME_ROLE_ARN_FILE is not supported)
AWS_EXTERNAL_ID Managed by STS AssumeRole API operation (AWS_EXTERNAL_ID_FILE is not supported)
AWS_HOSTED_ZONE_ID Override the hosted zone ID.
AWS_PROFILE Managed by the AWS client (AWS_PROFILE_FILE is not supported)
AWS_REGION Managed by the AWS client (AWS_REGION_FILE is not supported)
AWS_SDK_LOAD_CONFIG Managed by the AWS client. Retrieve the region from the CLI config file (AWS_SDK_LOAD_CONFIG_FILE is not supported)
AWS_SECRET_ACCESS_KEY Managed by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_WAIT_FOR_RECORD_SETS_CHANGED Wait for changes to be INSYNC (it can be unstable)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information [here]({{< ref "dns#configuration-and-credentials" >}}).

Additional Configuration

Environment Variable Name Description
AWS_MAX_RETRIES The number of maximum returns the service will use to make an individual API request
AWS_POLLING_INTERVAL Time between DNS propagation check
AWS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation
AWS_SHARED_CREDENTIALS_FILE Managed by the AWS client. Shared credentials file.
AWS_TTL The TTL of the TXT record used for the DNS challenge

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information [here]({{< ref "dns#configuration-and-credentials" >}}).

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

The AWS Region is automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_REGION
  2. Shared configuration file if AWS_SDK_LOAD_CONFIG is set (defaults to ~/.aws/config, profiles can be specified using AWS_PROFILE)

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also:

IAM Policy Examples

Broad privileges for testing purposes

The following IAM policy document grants access to the required APIs needed by lego to complete the DNS challenge. A word of caution: These permissions grant write access to any DNS record in any hosted zone, so it is recommended to narrow them down as much as possible if you are using this policy in production.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*",
        "arn:aws:route53:::change/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

Least privilege policy for production purposes

The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge. Write access is limited to a specified hosted zone's DNS TXT records with a key of _acme-challenge.example.com. Replace Z11111112222222333333 with your hosted zone ID and example.com with your domain name to use this policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ],
      "Condition": {
        "ForAllValues:StringEquals": {
          "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
            "_acme-challenge.example.com"
          ],
          "route53:ChangeResourceRecordSetsRecordTypes": [
            "TXT"
          ]
        }
      }
    }
  ]
}

More information