» Amazon Route 53 DNS Challenge Provider

The route53 DNS challenge provider can be used to perform DNS challenges for the acme_certificate resource with Amazon Route 53.

For complete information on how to use this provider with the acme_certifiate resource, see here.

» Example

resource "acme_certificate" "certificate" {
  ...

  dns_challenge {
    provider = "route53"
  }
}

» Argument Reference

The following arguments can be either passed as environment variables, or directly through the config block in the dns_challenge argument in the acme_certificate resource. For more details, see here.

In addition, arguments can also be stored in a local file, with the path supplied by supplying the argument with the _FILE suffix. See here for more information.

» Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials)
  3. Amazon EC2 IAM role

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also: sessions

» Policy

The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": [
               "route53:GetChange",
               "route53:ChangeResourceRecordSets",
               "route53:ListResourceRecordSets"
           ],
           "Resource": [
               "arn:aws:route53:::hostedzone/*",
               "arn:aws:route53:::change/*"
           ]
       },
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": "route53:ListHostedZonesByName",
           "Resource": "*"
       }
   ]
}