ContextQMD
Back to Lego

Amazon Route 53

docs/content/dns/zz_gen_route53.md

4.35.26.3 KB
Original Source
<!-- THIS DOCUMENTATION IS AUTO-GENERATED. PLEASE DO NOT EDIT. --> <!-- providers/dns/route53/route53.toml --> <!-- THIS DOCUMENTATION IS AUTO-GENERATED. PLEASE DO NOT EDIT. -->

Configuration for Amazon Route 53.

<!--more-->
  • Code: route53
  • Since: v0.3.0

Here is an example bash command using the Amazon Route 53 provider:

bash
AWS_ACCESS_KEY_ID=your_key_id \
AWS_SECRET_ACCESS_KEY=your_secret_access_key \
AWS_REGION=aws-region \
AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
lego --dns route53 -d '*.example.com' -d example.com run

Credentials

Environment Variable NameDescription
AWS_ACCESS_KEY_IDManaged by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_ASSUME_ROLE_ARNManaged by the AWS Role ARN (AWS_ASSUME_ROLE_ARN_FILE is not supported)
AWS_EXTERNAL_IDManaged by STS AssumeRole API operation (AWS_EXTERNAL_ID_FILE is not supported)
AWS_HOSTED_ZONE_IDOverride the hosted zone ID.
AWS_PROFILEManaged by the AWS client (AWS_PROFILE_FILE is not supported)
AWS_REGIONManaged by the AWS client (AWS_REGION_FILE is not supported)
AWS_SDK_LOAD_CONFIGManaged by the AWS client. Retrieve the region from the CLI config file (AWS_SDK_LOAD_CONFIG_FILE is not supported)
AWS_SECRET_ACCESS_KEYManaged by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_WAIT_FOR_RECORD_SETS_CHANGEDWait for changes to be INSYNC (it can be unstable)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information [here]({{% ref "dns#configuration-and-credentials" %}}).

Additional Configuration

Environment Variable NameDescription
AWS_MAX_RETRIESThe number of maximum returns the service will use to make an individual API request
AWS_POLLING_INTERVALTime between DNS propagation check in seconds (Default: 4)
AWS_PRIVATE_ZONESet to true to use private zones only (default: use public zones only)
AWS_PROPAGATION_TIMEOUTMaximum waiting time for DNS propagation in seconds (Default: 120)
AWS_SHARED_CREDENTIALS_FILEManaged by the AWS client. Shared credentials file.
AWS_TTLThe TTL of the TXT record used for the DNS challenge in seconds (Default: 10)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information [here]({{% ref "dns#configuration-and-credentials" %}}).

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

The AWS Region is automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_REGION
  2. Shared configuration file if AWS_SDK_LOAD_CONFIG is set (defaults to ~/.aws/config, profiles can be specified using AWS_PROFILE)

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also:

IAM Policy Examples

Broad privileges for testing purposes

The following IAM policy document grants access to the required APIs needed by lego to complete the DNS challenge. A word of caution: These permissions grant write access to any DNS record in any hosted zone, so it is recommended to narrow them down as much as possible if you are using this policy in production.

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*",
        "arn:aws:route53:::change/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

Least privilege policy for production purposes

The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge. Write access is limited to a specified hosted zone's DNS TXT records with a key of _acme-challenge.example.com. Replace Z11111112222222333333 with your hosted zone ID and example.com with your domain name to use this policy.

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ],
      "Condition": {
        "ForAllValues:StringEquals": {
          "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
            "_acme-challenge.example.com"
          ],
          "route53:ChangeResourceRecordSetsRecordTypes": [
            "TXT"
          ]
        }
      }
    }
  ]
}

More information

<!-- THIS DOCUMENTATION IS AUTO-GENERATED. PLEASE DO NOT EDIT. --> <!-- providers/dns/route53/route53.toml --> <!-- THIS DOCUMENTATION IS AUTO-GENERATED. PLEASE DO NOT EDIT. -->