mirror of
https://github.com/acmesh-official/acme.sh.git
synced 2025-03-14 16:10:09 +08:00
Improve the formatting on Azure DNS and add Bearer token documentation
Eldar Borge
parent
219dc2807d
commit
d065fc8814
28
dnsapi.md
28
dnsapi.md
@ -989,6 +989,12 @@ The `AUTODNS_USER`, `AUTODNS_PASSWORD` and `AUTODNS_CONTEXT` settings will be sa
|
||||
|
||||
## 37. Use Azure DNS
|
||||
|
||||
You have three options with Azure DNS:
|
||||
1. Create and use a Service Principal with client secrets (recommended)
|
||||
2. Using a Managed Identity (has to run on a resource in Azure)
|
||||
3. Use a provided Bearer token (advanced scenarios only, the Bearer token has a limited lifetime)
|
||||
|
||||
### Use Service Principal
|
||||
You have to create a service principal first. See: [How to use Azure DNS](https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS)
|
||||
|
||||
```sh
|
||||
@ -1006,18 +1012,34 @@ Then you can issue your certificates with:
|
||||
|
||||
`AZUREDNS_SUBSCRIPTIONID`, `AZUREDNS_TENANTID`,`AZUREDNS_APPID` and `AZUREDNS_CLIENTSECRET` settings will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
|
||||
|
||||
Alternatively, you can use **Managed Identity** assigned to a resource instead of a service prinvcipal.
|
||||
|
||||
### Use Managed Identity
|
||||
You have to assign a managed identity to your resource, usually a VM, as described [here](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
|
||||
This identity requires [DNS Zone Contributor role](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#dns-zone-contributor).
|
||||
|
||||
Before running acme.sh following variables need to bo set:
|
||||
Before running acme.sh following variables need to be set:
|
||||
`export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef"`
|
||||
`export AZUREDNS_MANAGEDIDENTITY=true`
|
||||
|
||||
Issuing certificates using managed identity clears previously set settings: `AZUREDNS_TENANTID`, `AZUREDNS_APPID`, `AZUREDNS_CLIENTSECRET`.
|
||||
`AZUREDNS_SUBSCRIPTIONID` and `AZUREDNS_MANAGEDIDENTITY` will be saved in ~/.acme.sh/account.conf for future use.
|
||||
|
||||
### Use provided Bearer token
|
||||
If you want to use Entra Workload ID in a GitHub Action or similar CI/CD scenarios, you have to use a provided Bearer token.
|
||||
|
||||
The identity has to have Azure RBAC to be able to add and delete TXT records in the Azure DNS zone.
|
||||
|
||||
You need to extract the token earlier in your CI/CD, for example with this command:
|
||||
```sh
|
||||
az account get-access-token --query accessToken --output tsv
|
||||
```
|
||||
And then pass it to acme.sh with the environment variable `AZUREDNS_BEARERTOKEN`.
|
||||
|
||||
Finally, you need to set the tenant ID and subscription ID in the environment variables `AZUREDNS_TENANTID` and `AZUREDNS_SUBSCRIPTIONID`.
|
||||
|
||||
Then you can issue the certificate with acme.sh, for example:
|
||||
```sh
|
||||
./acme.sh --issue --dns dns_azure -d example.com -d *.example.com
|
||||
```
|
||||
|
||||
<a name="dns_selectel" />
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user