Which AWS policies are required for tls.dns.route53 plugin?

hobot · September 1, 2017, 9:20am

Hi, everyone. I’m using tls.dns.route53 plugin for Caddy.

My caddy config is:

prometheus.domain.name {
  prometheus
  gzip

  tls {
      dns route53
  }

  proxy / localhost:9090 {
      except /health
  }

  log /var/log/caddy/access.log {
      rotate_size 300
      rotate_age 60
      rotate_keep 60
      rotate_compress
  }
  errors /var/log/caddy/errors.log {
      rotate_size 300
      rotate_age 60
      rotate_keep 60
      rotate_compress
  }
}

Caddy is running on EC2 AWS instance. I’m interested in which IAM policy need to tls.dns.route53 plugin. I tried to look to GoDocs here but unfortunately, doesn’t find this information.

It’s not a good practice to give all permissions for route53 and route53 domains to instance role. So any help will be appreciated.

Whitestrake · September 3, 2017, 11:43am

Hi @hobot,

I don’t know if anyone here can supply the exact answer to your question, but I believe the AWS documentation you’re looking for is here:

And you can go through the Go code here and look for any calls to the route53 object to get an idea for which ones are in use:

github.com

go-acme/lego/blob/master/providers/dns/route53/route53.go

// Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
package route53

import (
	"errors"
	"fmt"
	"math/rand"
	"strings"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/client"
	"github.com/aws/aws-sdk-go/aws/request"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/route53"
	"github.com/go-acme/lego/v4/challenge/dns01"
	"github.com/go-acme/lego/v4/platform/config/env"
	"github.com/go-acme/lego/v4/platform/wait"
)

This file has been truncated. show original

system · December 2, 2017, 11:43am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.