1 Name = "Amazon Route 53"
2 Description = ''''''
3 URL = "https://aws.amazon.com/route53/"
4 Code = "route53"
5 Since = "v0.3.0"
6 7 Example = '''
8 AWS_ACCESS_KEY_ID=your_key_id \
9 AWS_SECRET_ACCESS_KEY=your_secret_access_key \
10 AWS_REGION=aws-region \
11 AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
12 lego --dns route53 -d '*.example.com' -d example.com run
13 '''
14 15 Additional = '''
16 ## Description
17 18 AWS Credentials are automatically detected in the following locations and prioritized in the following order:
19 20 1. Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, [`AWS_SESSION_TOKEN`]
21 2. Shared credentials file (defaults to `~/.aws/credentials`, profiles can be specified using `AWS_PROFILE`)
22 3. Amazon EC2 IAM role
23 24 The AWS Region is automatically detected in the following locations and prioritized in the following order:
25 26 1. Environment variables: `AWS_REGION`
27 2. Shared configuration file if `AWS_SDK_LOAD_CONFIG` is set (defaults to `~/.aws/config`, profiles can be specified using `AWS_PROFILE`)
28 29 If `AWS_HOSTED_ZONE_ID` is not set, Lego tries to determine the correct public hosted zone via the FQDN.
30 31 See also:
32 33 - [sessions](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/sessions.html)
34 - [Setting AWS Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)
35 - [Setting AWS Region](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-the-region)
36 37 ## IAM Policy Examples
38 39 ### Broad privileges for testing purposes
40 41 The following [IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) document grants access to the required APIs needed by lego to complete the DNS challenge.
42 A word of caution:
43 These permissions grant write access to any DNS record in any hosted zone,
44 so it is recommended to narrow them down as much as possible if you are using this policy in production.
45 46 ```json
47 {
48 "Version": "2012-10-17",
49 "Statement": [
50 {
51 "Effect": "Allow",
52 "Action": [
53 "route53:GetChange",
54 "route53:ChangeResourceRecordSets",
55 "route53:ListResourceRecordSets"
56 ],
57 "Resource": [
58 "arn:aws:route53:::hostedzone/*",
59 "arn:aws:route53:::change/*"
60 ]
61 },
62 {
63 "Effect": "Allow",
64 "Action": "route53:ListHostedZonesByName",
65 "Resource": "*"
66 }
67 ]
68 }
69 ```
70 71 ### Least privilege policy for production purposes
72 73 The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge.
74 Write access is limited to a specified hosted zone's DNS TXT records with a key of `_acme-challenge.example.com`.
75 Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with your domain name to use this policy.
76 77 ```json
78 {
79 "Version": "2012-10-17",
80 "Statement": [
81 {
82 "Effect": "Allow",
83 "Action": "route53:GetChange",
84 "Resource": "arn:aws:route53:::change/*"
85 },
86 {
87 "Effect": "Allow",
88 "Action": "route53:ListHostedZonesByName",
89 "Resource": "*"
90 },
91 {
92 "Effect": "Allow",
93 "Action": [
94 "route53:ListResourceRecordSets"
95 ],
96 "Resource": [
97 "arn:aws:route53:::hostedzone/Z11111112222222333333"
98 ]
99 },
100 {
101 "Effect": "Allow",
102 "Action": [
103 "route53:ChangeResourceRecordSets"
104 ],
105 "Resource": [
106 "arn:aws:route53:::hostedzone/Z11111112222222333333"
107 ],
108 "Condition": {
109 "ForAllValues:StringEquals": {
110 "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
111 "_acme-challenge.example.com"
112 ],
113 "route53:ChangeResourceRecordSetsRecordTypes": [
114 "TXT"
115 ]
116 }
117 }
118 }
119 ]
120 }
121 ```
122 '''
123 124 [Configuration]
125 [Configuration.Credentials]
126 AWS_ACCESS_KEY_ID = "Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
127 AWS_SECRET_ACCESS_KEY = "Managed by the AWS client. Secret access key (`AWS_SECRET_ACCESS_KEY_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead)"
128 AWS_REGION = "Managed by the AWS client (`AWS_REGION_FILE` is not supported)"
129 AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
130 AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
131 AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
132 AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)"
133 AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
134 AWS_WAIT_FOR_RECORD_SETS_CHANGED = "Wait for changes to be INSYNC (it can be unstable)"
135 [Configuration.Additional]
136 AWS_PRIVATE_ZONE = "Set to true to use private zones only (default: use public zones only)"
137 AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
138 AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"
139 AWS_POLLING_INTERVAL = "Time between DNS propagation check in seconds (Default: 4)"
140 AWS_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation in seconds (Default: 120)"
141 AWS_TTL = "The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)"
142 143 [Links]
144 API = "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"
145 GoClient = "https://github.com/aws/aws-sdk-go-v2"
146