» Amazon Route 53 DNS Challenge Provider

The route53 DNS challenge provider can be used to perform DNS challenges for the acme_certificate resource with Amazon Route 53.

For complete information on how to use this provider with the acme_certifiate resource, see here.

» Example

resource "acme_certificate" "certificate" {

  dns_challenge {
    provider = "route53"

» Argument Reference

The following arguments can be either passed as environment variables, or directly through the config block in the dns_challenge argument in the acme_certificate resource. For more details, see here.

In addition, arguments can also be stored in a local file, with the path supplied by supplying the argument with the _FILE suffix. See here for more information.

» Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  2. Shared credentials file (defaults to ~/.aws/credentials)
  3. Amazon EC2 IAM role

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also: sessions

» Policy

The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.

   "Version": "2012-10-17",
   "Statement": [
           "Sid": "",
           "Effect": "Allow",
           "Action": [
           "Resource": [
           "Sid": "",
           "Effect": "Allow",
           "Action": "route53:ListHostedZonesByName",
           "Resource": "*"