Amazon Lightsail

Configuration for Amazon Lightsail.

  • Code: lightsail
  • Since: v0.5.0
Note

Please contribute by adding a CLI example.

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Managed by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_SECRET_ACCESS_KEY Managed by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
DNS_ZONE Domain name of the DNS zone

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AWS_SHARED_CREDENTIALS_FILE Managed by the AWS client. Shared credentials file.
LIGHTSAIL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LIGHTSAIL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

AWS region is not required to set as the Lightsail DNS zone is in global (us-east-1) region.

Policy

The following AWS IAM policy document describes the minimum permissions required for lego to complete the DNS challenge.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lightsail:DeleteDomainEntry",
        "lightsail:CreateDomainEntry"
      ],
      "Resource": "<Lightsail DNS zone ARN>"
    }
  ]
}

Replace the Resource value with your Lightsail DNS zone ARN. You can retrieve the ARN using aws cli by running aws lightsail get-domains --region us-east-1 (Lightsail web console does not show the ARN, unfortunately). It should be in the format of arn:aws:lightsail:global:<ACCOUNT ID>:Domain/<DOMAIN ID>. You also need to replace the region in the ARN to us-east-1 (instead of global).

Alternatively, you can also set the Resource to * (wildcard), which allow to access all domain, but this is not recommended.

More information