Table of Contents
-
Follow http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html to create a new user and obtain API keys
-
Save the downloaded API keys to later use with acme.sh
-
In the user profile, click in Permissions, followed by Add Permissions
-
Then click the 3rd icon "Attach existing policies directly"
-
Click "Create Policy" and in the new window choose "Create Your Own Policy"
-
Enter a name to your policy and paste the following
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:GetHostedZoneCount",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "*"
}
]
}
Validate the policy and Click Create. Apply the new policy to your new user.
You can now use the new API keys with acme.sh
https://github.com/Neilpang/acme.sh/tree/master/dnsapi#10-use-amazon-route53-domain-api
appendix
If you want to use a much more restrictive AWS policy, use the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
],
"Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
"Condition": {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
}
}
}
]
}
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢