2019-03-08 20:47:06 +02:00
Name = "Amazon Route 53"
Description = '' '' ''
URL = "https://aws.amazon.com/route53/"
Code = "route53"
2019-04-17 21:32:38 +02:00
Since = "v0.3.0"
2019-03-08 20:47:06 +02:00
2023-01-20 17:32:33 +02:00
Example = '' '
AWS_ACCESS_KEY_ID = your_key_id \
AWS_SECRET_ACCESS_KEY = your_secret_access_key \
AWS_REGION = aws-region \
AWS_HOSTED_ZONE_ID = your_hosted_zone_id \
--domains example . com --email your_example @ email . com --dns route53 --accept-tos = true run
'' '
2019-03-08 20:47:06 +02:00
Additional = '' '
## Description
AWS Credentials are automatically detected in the following locations and prioritized in the following order :
2020-05-30 14:00:57 +02:00
1 . Environment variables : ` AWS_ACCESS_KEY_ID ` , ` AWS_SECRET_ACCESS_KEY ` , [ ` AWS_SESSION_TOKEN ` ]
2 . Shared credentials file ( defaults to ` ~ / . aws / credentials ` , profiles can be specified using ` AWS_PROFILE ` )
2019-03-08 20:47:06 +02:00
3 . Amazon EC2 IAM role
2020-05-30 14:00:57 +02:00
The AWS Region is automatically detected in the following locations and prioritized in the following order :
1 . Environment variables : ` AWS_REGION `
2 . Shared configuration file if ` AWS_SDK_LOAD_CONFIG ` is set ( defaults to ` ~ / . aws / config ` , profiles can be specified using ` AWS_PROFILE ` )
2019-03-08 20:47:06 +02:00
If ` AWS_HOSTED_ZONE_ID ` is not set , Lego tries to determine the correct public hosted zone via the FQDN .
2020-01-09 10:12:27 +02:00
See also :
- [ sessions ] ( https : / / docs . aws . amazon . com / sdk-for-go / v1 / developer-guide / sessions . html )
2020-05-30 14:00:57 +02:00
- [ Setting AWS Credentials ] ( https : / / docs . aws . amazon . com / sdk-for-go / v1 / developer-guide / configuring-sdk . html #specifying-credentials)
- [ Setting AWS Region ] ( https : / / docs . aws . amazon . com / sdk-for-go / v1 / developer-guide / configuring-sdk . html #specifying-the-region)
2019-03-08 20:47:06 +02:00
2022-10-12 20:42:06 +02:00
## IAM Policy Examples
2019-03-08 20:47:06 +02:00
2022-10-12 20:42:06 +02:00
### Broad privileges for testing purposes
The following [ IAM policy ] ( https : / / docs . aws . amazon . com / IAM / latest / UserGuide / access_policies . html ) document grants access to the required APIs needed by lego to complete the DNS challenge .
A word of caution :
These permissions grant write access to any DNS record in any hosted zone ,
so it is recommended to narrow them down as much as possible if you are using this policy in production .
2019-03-08 20:47:06 +02:00
` ` ` json
{
2022-10-12 20:42:06 +02:00
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Action" : [
"route53:GetChange" ,
"route53:ChangeResourceRecordSets" ,
"route53:ListResourceRecordSets"
] ,
"Resource" : [
"arn:aws:route53:::hostedzone/*" ,
"arn:aws:route53:::change/*"
]
} ,
{
"Effect" : "Allow" ,
"Action" : "route53:ListHostedZonesByName" ,
"Resource" : "*"
}
]
2019-03-08 20:47:06 +02:00
}
` ` `
2022-10-12 20:42:06 +02:00
### Least privilege policy for production purposes
The following AWS IAM policy document describes least privilege permissions required for lego to complete the DNS challenge .
Write access is limited to a specified hosted zone ' s DNS TXT records with a key of ` _acme-challenge . example . com ` .
Replace ` Z11111112222222333333 ` with your hosted zone ID and ` example . com ` with your domain name to use this policy .
` ` ` json
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Action" : "route53:GetChange" ,
"Resource" : "arn:aws:route53:::change/*"
} ,
{
"Effect" : "Allow" ,
"Action" : "route53:ListHostedZonesByName" ,
"Resource" : "*"
} ,
{
"Effect" : "Allow" ,
"Action" : [
"route53:ListResourceRecordSets"
] ,
"Resource" : [
"arn:aws:route53:::hostedzone/Z11111112222222333333"
]
} ,
{
"Effect" : "Allow" ,
"Action" : [
"route53:ChangeResourceRecordSets"
] ,
"Resource" : [
"arn:aws:route53:::hostedzone/Z11111112222222333333"
] ,
"Condition" : {
"ForAllValues:StringEquals" : {
"route53:ChangeResourceRecordSetsNormalizedRecordNames" : [
"_acme-challenge.example.com"
] ,
"route53:ChangeResourceRecordSetsRecordTypes" : [
"TXT"
]
}
}
}
]
}
` ` `
2019-03-08 20:47:06 +02:00
'' '
[ Configuration ]
[ Configuration . Credentials ]
2021-06-28 03:31:18 +02:00
AWS_ACCESS_KEY_ID = "Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
AWS_SECRET_ACCESS_KEY = "Managed by the AWS client. Secret access key (`AWS_SECRET_ACCESS_KEY_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
2020-01-09 10:12:27 +02:00
AWS_REGION = "Managed by the AWS client (`AWS_REGION_FILE` is not supported)"
2021-06-28 03:31:18 +02:00
AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
2020-05-30 14:00:57 +02:00
AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
2021-06-28 03:31:18 +02:00
AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
2022-05-27 18:32:39 +02:00
AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)"
2019-03-08 20:47:06 +02:00
[ Configuration . Additional ]
2021-06-28 03:31:18 +02:00
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
2019-04-17 20:58:34 +02:00
AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"
2019-03-08 20:47:06 +02:00
AWS_POLLING_INTERVAL = "Time between DNS propagation check"
AWS_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
AWS_TTL = "The TTL of the TXT record used for the DNS challenge"
[ Links ]
API = "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
GoClient = "https://github.com/aws/aws-sdk-go/aws"