Assume the documentation, I should use policy, like this:
{
"Version": "2017-11-27",
"Statement":[
{
"Effect":"Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<ZONE_ID>"
]
]
}
I need a very safe policy.
I cannot add specific resource record set (one record in zone) in arn. I can use Condition
to check what record should be changed with ChangeResourceRecordSets
API call. If I'm not mistaken.
This is necessary for automatic update only one record in public domain zone. Updates _acme-challenge.ldap.example.com.
record for automatically update let's encrypt certificates. I know that acme.sh
is available to achive my goal. But I want to write my own custom and simple script to do this.
I can use Condition to check what record should be changed with ChangeResourceRecordSets API call. If I'm not mistaken.
I believe you may be mistaken.
Amazon Route 53 has no service-specific [condition] context keys that can be used in an IAM policy.
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_route53.html
Additionally, none of the global condition keys seem applicable.
However, I believe there's a workaround for this.
Create a second public hosted zone for the domain _acme-challenge.ldap.example.com
. I know you're probably thinking "but that's not a domain!" but in the relevant sense, it actually is still a domain.
Route 53 will assign 4 new nameservers to this new hosted zone. Make a note of those servers.
Back in your original hosted zone, create a record for _acme-challenge.ldap.example.com
of type NS
. The value you will use to create this record will be the 4 nameservers that Route 53 assigned to the new hosted zone, one per line. Do not change any of the existing NS records in either of the zones.
This is called a delegation -- you're delegating authority for this particular subdomain to a different hosted zone, which you will notice was automatically assigned a completely different set of 4 Route 53 servers from those that handle your parent domain.
You can now create a new record in the root of the new hosted zone, and when you do a DNS query for _acme-challenge.ldap.example.com
, the answer returned will be the answer from the new hosted zone.
Now, you can give your script permission only to modify records in the new zone, and it will be unable to modify anything in the parent zone, because you gave it no permissions, there.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments