Amazon Route 53
Configuration for Amazon Route 53.
- Code:
route53
- Since: v0.3.0
Here is an example bash command using the Amazon Route 53 provider:
AWS_ACCESS_KEY_ID=your_key_id \
AWS_SECRET_ACCESS_KEY=your_secret_access_key \
AWS_REGION=aws-region \
AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
lego --email you@example.com --dns route53 -d '*.example.com' -d example.com run
Credentials
Environment Variable Name | Description |
---|---|
AWS_ACCESS_KEY_ID |
Managed by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead) |
AWS_ASSUME_ROLE_ARN |
Managed by the AWS Role ARN (AWS_ASSUME_ROLE_ARN_FILE is not supported) |
AWS_EXTERNAL_ID |
Managed by STS AssumeRole API operation (AWS_EXTERNAL_ID_FILE is not supported) |
AWS_HOSTED_ZONE_ID |
Override the hosted zone ID. |
AWS_PROFILE |
Managed by the AWS client (AWS_PROFILE_FILE is not supported) |
AWS_REGION |
Managed by the AWS client (AWS_REGION_FILE is not supported) |
AWS_SDK_LOAD_CONFIG |
Managed by the AWS client. Retrieve the region from the CLI config file (AWS_SDK_LOAD_CONFIG_FILE is not supported) |
AWS_SECRET_ACCESS_KEY |
Managed by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead) |
AWS_WAIT_FOR_RECORD_SETS_CHANGED |
Wait for changes to be INSYNC (it can be unstable) |
The environment variable names can be suffixed by _FILE
to reference a file instead of a value.
More information here.
Additional Configuration
Environment Variable Name | Description |
---|---|
AWS_MAX_RETRIES |
The number of maximum returns the service will use to make an individual API request |
AWS_POLLING_INTERVAL |
Time between DNS propagation check in seconds (Default: 4) |
AWS_PROPAGATION_TIMEOUT |
Maximum waiting time for DNS propagation in seconds (Default: 120) |
AWS_SHARED_CREDENTIALS_FILE |
Managed by the AWS client. Shared credentials file. |
AWS_TTL |
The TTL of the TXT record used for the DNS challenge in seconds (Default: 10) |
The environment variable names can be suffixed by _FILE
to reference a file instead of a value.
More information here.
Description
AWS Credentials are automatically detected in the following locations and prioritized in the following order:
- Environment variables:
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, [AWS_SESSION_TOKEN
] - Shared credentials file (defaults to
~/.aws/credentials
, profiles can be specified usingAWS_PROFILE
) - Amazon EC2 IAM role
The AWS Region is automatically detected in the following locations and prioritized in the following order:
- Environment variables:
AWS_REGION
- Shared configuration file if
AWS_SDK_LOAD_CONFIG
is set (defaults to~/.aws/config
, profiles can be specified usingAWS_PROFILE
)
If AWS_HOSTED_ZONE_ID
is not set, Lego tries to determine the correct public hosted zone via the FQDN.
See also:
IAM Policy Examples
Broad privileges for testing purposes
The following IAM policy document grants access to the required APIs needed by lego to complete the DNS challenge. A word of caution: These permissions grant write access to any DNS record in any hosted zone, so it is recommended to narrow them down as much as possible if you are using this policy in production.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*"
]
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
Least privilege policy for production purposes
The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge.
Write access is limited to a specified hosted zone’s DNS TXT records with a key of _acme-challenge.example.com
.
Replace Z11111112222222333333
with your hosted zone ID and example.com
with your domain name to use this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/Z11111112222222333333"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/Z11111112222222333333"
],
"Condition": {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"_acme-challenge.example.com"
],
"route53:ChangeResourceRecordSetsRecordTypes": [
"TXT"
]
}
}
}
]
}