From 497a0cfe92fd7e278afbfcc971c177f2061f676b Mon Sep 17 00:00:00 2001 From: Adam Bulgatz Date: Thu, 3 Oct 2024 00:40:31 -0500 Subject: [PATCH] Fixed broken link, added link names, fixed spelling errors, homogenized formatting, expanded and split section "Note: Dealing with multiple DNS Zones" to "Note: Dealing with multiple credentials". --- How-to-use-Azure-DNS.md | 73 ++++++++++++++++++++++++++++------------- 1 file changed, 50 insertions(+), 23 deletions(-) diff --git a/How-to-use-Azure-DNS.md b/How-to-use-Azure-DNS.md index 270b63a..c00e315 100644 --- a/How-to-use-Azure-DNS.md +++ b/How-to-use-Azure-DNS.md @@ -1,16 +1,20 @@ #### Prerequisites -You need the Azure Cli 2.0 tools to create a service principal for access to your DNS Zone. -Either install Azure Cli 2.0 locally or use the Azure Cloud Shell in Bash mode. -See [ -Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest) +You need the Azure CLI 2.0 tools to create a service principal for access to your DNS Zone. + +Either install Azure CLI 2.0 locally or use the Azure Cloud Shell in Bash mode. + +(See the [ +Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest) for more details) #### Log-in to Azure -(not required when using the Azure Cloud Shell) + +(Not required when using the Azure Cloud Shell) ``` az login ``` + ```json [ { @@ -100,13 +104,16 @@ az network dns zone list } ] ``` + #### Create a service principal + The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output -(See https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac for more details ) +(See the [az ad sp create-for-rbac](https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) documentation for more details) ``` -az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com +az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \ + /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com ``` ```json @@ -120,35 +127,55 @@ az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor ``` ##### Note: Dealing with multiple DNS Zones -Because by default acme.sh saves the credentials in ~/.acme.sh/account.conf you have to use the same credentials for all your DNS Zones*. -For example if you are also managing certificates for example.edu you can grant the the service principal acccess to the DNS Zone with: +If you are managing certificates for multiple DNS Zones, you can create the service principal with multiple scopes. + +For example, if you are managing certificates for both `example.com` and `example.edu`, you can create the service principal with both scopes: ``` -az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu - -``` -or grant access to the service principal after you created it - ``` -az role assignment create --assignee 3b5033b5-7a66-43a5-b3b9-a36b9e7c25ed --role "DNS Zone Contributor" --scope /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu +az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \ + /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com \ + /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns2_rg/providers/Microsoft.Network/dnszones/example.edu ``` -\*If you want to use different credentials instead use the --accountconf switch to specifiy a configuration file +Or if the service principal has already been created, you can grant it access to the additional scope: -### Limit access permissions to TXT records +``` +az ad sp list --filter "displayname eq 'AcmeDnsValidator'" | grep '^ \"id\":' +``` + +(The `grep` above is assuming a json array of nested lists is returned with a tab size of two spaces and is finding the top-level `id`) + +```json + "id": "daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", +``` + +``` +az role assignment create --assignee daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --role "DNS Zone Contributor" --scope \ + /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu +``` + +##### Note: Dealing with multiple credentials + +By default acme.sh saves credentials in `~/.acme.sh/account.conf` and these credentials are used for all DNS zones. + +If you want to use different credentials, use the `--accountconf` switch to specify a configuration file. + +#### Limit access permissions to TXT records In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone. -(See https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets for more details) -Example: -* Azure Subscription is 12345678-9abc-def0-1234-567890abcdef -* The resource group of your DNS Zone is exampledns_rg -* The DNS Zone is example.com +(See [How to protect DNS zones and records](https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets) for more details) +Example: + +* Azure Subscription is `12345678-9abc-def0-1234-567890abcdef` +* The resource group of your DNS Zone is `exampledns_rg` +* The DNS Zone is `example.com` ```sh #!/usr/bin/env sh -# Create a custom RBAC role that grants permissions to modifiy only TXT records +# Create a custom RBAC role that grants permissions to modify only TXT records dnscustomrole='{ "Name": "DNS TXT Contributor", "Id": "",