I have been tasked with setting up Wilcard SSL for some domains. These domains are hosted through AWS Route53.
I am using Certbot on an Ubuntu 20.4 machine (we're using Lightsail), where the apps are hosted. I have also installed the Route53 DNS plugin for Certbot.
I run this command:
sudo certbot certonly --dns-route53 --email '**@**.**' --domain 'mywebsite.rocks' --domain '*.mywebsite.rocks' --agree-tos --non-interactive
Real domains remove for security reasons
I get this error:
An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:sts::*********:assumed-role/**********/********** is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action
Let me explain first how I set up the IAM user in the AWS console.
- I created a new Policy with this config
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/WHAT-EVER-MY-ID-IS-HERE"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZones",
"Resource": "*"
}
]
}
Replacing WHAT-EVER-MY-ID-IS-HERE
with my actual domain's Hosted Zone ID
-
I then created a new IAM User and during set-up, I attached the above Policy to the user.
-
I then created an Access Key for my new User and took note of the AccessKeyId
and SecretAccessKey
. This has access to be used programmatically.
-
On the server, I created a config file at /root/.aws/config
as instructed in the documentation. I also tried ~/.aws/config
but as I am using sudo
the former seemed the preferred location (I could be wrong though, and during my tests, neither worked anyway)
And as previously aforementioned, I run the command and get the error.
Searched the web high and low for a solution, but cannot find one.
Appreciate any help I can get from folk.