Using Cert-manager + rout53 With Kiam
As described here: https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role, First you need to create a role, for example `dns-manager`.
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Allow",
6 "Action": "route53:GetChange",
7 "Resource": "arn:aws:route53:::change/*"
8 },
9 {
10 "Effect": "Allow",
11 "Action": [
12 "route53:ChangeResourceRecordSets",
13 "route53:ListResourceRecordSets"
14 ],
15 "Resource": "arn:aws:route53:::hostedzone/*"
16 },
17 {
18 "Effect": "Allow",
19 "Action": "route53:ListHostedZonesByName",
20 "Resource": "*"
21 }
22 ]
23}
You can replace the *
in arn:aws:route53:::hostedzone/*
with a specific zone id.
Use cert-manager with out kiam
If you didn't use kiam, you just need to allow the instance(role) to assume this role. Attach this policy to the instance role
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Action": "sts:AssumeRole",
6 "Principal": {
7 "AWS": <role-arn>
8 },
9 "Effect": "Allow"
10 }
11 ]
12}
Replace the <role-arn>
to the instance role.
And then define a ClusterIssuer
, and tell the issuer to assume this role to manage the zone.
1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4 name: letsencrypt-prod
5spec:
6 acme:
7 .... other options
8 - selector:
9 dnsZones:
10 - "example.com"
11 dns01:
12 route53:
13 region: us-east-1
14 hostedZoneID: DIKER8JEXAMPLE # optional, see policy above
15 role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
Use cert-manager with kiam
You need to get kiam work first. And then We need to allow kiam server to assume the dns-manager
role. Attach this policy to kiam server role.
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Action": "sts:AssumeRole",
6 "Principal": {
7 "AWS": <role-arn>
8 },
9 "Effect": "Allow"
10 }
11 ]
12}
Replace the <role-arn>
to kiam server role arn.
Define a ClusterIssuer
, this time we didn't need to assume the role to get it work.
1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4 name: letsencrypt-prod
5spec:
6 acme:
7 .... other options
8 - selector:
9 dnsZones:
10 - "example.com"
11 dns01:
12 route53:
13 region: us-east-1
14 hostedZoneID: DIKER8JEXAMPLE # optional, see policy above
But we need to add an annotation to cert-manager pod.
1iam.amazonaws.com/role: <role-arn>
Replace the <role-arn>
to the role arn of dns-manager
.