Fixed broken link, added link names, fixed spelling errors, homogenized formatting, expanded and split section "Note: Dealing with multiple DNS Zones" to "Note: Dealing with multiple credentials".

master
Adam Bulgatz 2024-10-03 00:40:31 -05:00
parent 964d03bed0
commit 497a0cfe92
1 changed files with 50 additions and 23 deletions

@ -1,16 +1,20 @@
#### Prerequisites #### Prerequisites
You need the Azure Cli 2.0 tools to create a service principal for access to your DNS Zone.
Either install Azure Cli 2.0 locally or use the Azure Cloud Shell in Bash mode.
See [ You need the Azure CLI 2.0 tools to create a service principal for access to your DNS Zone.
Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest)
Either install Azure CLI 2.0 locally or use the Azure Cloud Shell in Bash mode.
(See the [
Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest) for more details)
#### Log-in to Azure #### Log-in to Azure
(not required when using the Azure Cloud Shell)
(Not required when using the Azure Cloud Shell)
``` ```
az login az login
``` ```
```json ```json
[ [
{ {
@ -100,13 +104,16 @@ az network dns zone list
} }
] ]
``` ```
#### Create a service principal #### Create a service principal
The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output
(See https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac for more details ) (See the [az ad sp create-for-rbac](https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) documentation for more details)
``` ```
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com
``` ```
```json ```json
@ -120,35 +127,55 @@ az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor
``` ```
##### Note: Dealing with multiple DNS Zones ##### Note: Dealing with multiple DNS Zones
Because by default acme.sh saves the credentials in ~/.acme.sh/account.conf you have to use the same credentials for all your DNS Zones*.
For example if you are also managing certificates for example.edu you can grant the the service principal acccess to the DNS Zone with: If you are managing certificates for multiple DNS Zones, you can create the service principal with multiple scopes.
For example, if you are managing certificates for both `example.com` and `example.edu`, you can create the service principal with both scopes:
``` ```
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com \
``` /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns2_rg/providers/Microsoft.Network/dnszones/example.edu
or grant access to the service principal after you created it
```
az role assignment create --assignee 3b5033b5-7a66-43a5-b3b9-a36b9e7c25ed --role "DNS Zone Contributor" --scope /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
``` ```
\*If you want to use different credentials instead use the --accountconf switch to specifiy a configuration file Or if the service principal has already been created, you can grant it access to the additional scope:
### Limit access permissions to TXT records ```
az ad sp list --filter "displayname eq 'AcmeDnsValidator'" | grep '^ \"id\":'
```
(The `grep` above is assuming a json array of nested lists is returned with a tab size of two spaces and is finding the top-level `id`)
```json
"id": "daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
```
```
az role assignment create --assignee daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --role "DNS Zone Contributor" --scope \
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
```
##### Note: Dealing with multiple credentials
By default acme.sh saves credentials in `~/.acme.sh/account.conf` and these credentials are used for all DNS zones.
If you want to use different credentials, use the `--accountconf` switch to specify a configuration file.
#### Limit access permissions to TXT records
In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone. In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone.
(See https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets for more details)
(See [How to protect DNS zones and records](https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets) for more details)
Example: Example:
* Azure Subscription is 12345678-9abc-def0-1234-567890abcdef
* The resource group of your DNS Zone is exampledns_rg
* The DNS Zone is example.com
* Azure Subscription is `12345678-9abc-def0-1234-567890abcdef`
* The resource group of your DNS Zone is `exampledns_rg`
* The DNS Zone is `example.com`
```sh ```sh
#!/usr/bin/env sh #!/usr/bin/env sh
# Create a custom RBAC role that grants permissions to modifiy only TXT records # Create a custom RBAC role that grants permissions to modify only TXT records
dnscustomrole='{ dnscustomrole='{
"Name": "DNS TXT Contributor", "Name": "DNS TXT Contributor",
"Id": "", "Id": "",