search

whereisaaron / dehydrated-route53-hook-script

Dehydrated hook script that employs cli53 to enable dns-01 challenges with AWS Route 53
MIT License
29 stars 20 forks source link

corrected sample IAM policy #2

Closed mnbf9rca closed 7 years ago

mnbf9rca commented 7 years ago

The sample IAM policy doesn't have sufficient privileges to properly execute - when using it i was getting an error:

dehydrated@localhost:~$ ./dehydrated --cron --accept-terms
# INFO: Using main config file /home/dehydrated/config
Processing xx.yy.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for ubnt.cynexia.net...
Error: AccessDenied: User: arn:aws:iam::598131871882:user/dehydrated-on-xx-yy-net is not authorized to perform: route53:ListHostedZones
        status code: 403, request id: 18afbe49-6945-11e7-b922-81395483c5d6
Could not find zone for xx.yy.net

After adding "route53:ListResourceRecordSets" to the initial access group it works.

whereisaaron commented 7 years ago

You're right we need this permission also.