-
-
Notifications
You must be signed in to change notification settings - Fork 978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traefik + Lego on AWS Lightsail #1436
Comments
The Policy part does not give any detail on where these Policy should be attached to |
The AmazonLightsailInstanceRole is a service-linked role that is managed by AWS outside of user AWS account. So I don't think it is possible to assume role using this role (not 100% sure though, AWS doc isn't very clear on this). Furthermore, to use STS the client will have to call assume role API first, then use the temporary credential from the response to call CreateDomainEntry API. Both Lego and traefik didn't perform this action. For me, I just simply create a IAM user and attached that policy to it, then set the |
I have this policy in the IAM user I'm using for configuration:
It should work right ? Also I'm using |
The policy should works, though i recommend using the more restrictive one once you tested it is okay. I don't think the |
I'm currently using Traefik and Lego in order to have HTTPS connection to my docker containers.
In the following documentation, it's mentioned that I need to use the following provider to do DNS Challenge.
Now, I did this but I get this error:
and another for DeleteDomainEntry, even though I have
lightsail:*
onResource: *
permission on the IAM user used for configuration.If I understand correctly Lightsail is managed separately for the other AWS services and thus we need to use STS for connecting to it. So my question is this, how can I set the permissions for the temporary token to be able to do CreateDomainEntry and DeleteDomainEntry?
The text was updated successfully, but these errors were encountered: