Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik + Lego on AWS Lightsail #1436

Closed
Clement-Jean opened this issue Jun 25, 2021 · 4 comments
Closed

Traefik + Lego on AWS Lightsail #1436

Clement-Jean opened this issue Jun 25, 2021 · 4 comments
Labels
question

Comments

@Clement-Jean
Copy link
Contributor

Clement-Jean commented Jun 25, 2021
edited

I'm currently using Traefik and Lego in order to have HTTPS connection to my docker containers.

In the following documentation, it's mentioned that I need to use the following provider to do DNS Challenge.

Now, I did this but I get this error:

AccessDeniedException: User: arn:aws:sts::***:assumed-role/AmazonLightsailInstanceRole/*** is not authorized to perform: lightsail:CreateDomainEntry on resource: arn:aws:lightsail:us-east-1:***

and another for DeleteDomainEntry, even though I have lightsail:* on Resource: * permission on the IAM user used for configuration.

If I understand correctly Lightsail is managed separately for the other AWS services and thus we need to use STS for connecting to it. So my question is this, how can I set the permissions for the temporary token to be able to do CreateDomainEntry and DeleteDomainEntry?
@Clement-Jean
Copy link
Contributor Author

Clement-Jean commented Jun 25, 2021
edited

The Policy part does not give any detail on where these Policy should be attached to

@ldez ldez added the question label Jun 25, 2021
@Clement-Jean Clement-Jean mentioned this issue Jun 27, 2021
Merged
@dicksonleong
Copy link
Contributor

The AmazonLightsailInstanceRole is a service-linked role that is managed by AWS outside of user AWS account. So I don't think it is possible to assume role using this role (not 100% sure though, AWS doc isn't very clear on this).

Furthermore, to use STS the client will have to call assume role API first, then use the temporary credential from the response to call CreateDomainEntry API. Both Lego and traefik didn't perform this action.

For me, I just simply create a IAM user and attached that policy to it, then set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY of this user when running Traefik.

@Clement-Jean
Copy link
Contributor Author

I have this policy in the IAM user I'm using for configuration:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lightsail:*"
            ],
            "Resource": "*"
        }
    ]
}

It should work right ?

Also I'm using AWS_ACCESS_KEY_ID_FILE and AWS_SECRET_ACCESS_KEY_FILE but this shouldn't change anything I guess.

@dicksonleong
Copy link
Contributor

dicksonleong commented Jun 27, 2021
edited

The policy should works, though i recommend using the more restrictive one once you tested it is okay.

I don't think the _FILE suffix works for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY since those are read by the AWS SDK directly (https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/#EnvProvider).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dicksonleong @ldez @Clement-Jean