Fixed broken link, added link names, fixed spelling errors, homogenized formatting, expanded and split section "Note: Dealing with multiple DNS Zones" to "Note: Dealing with multiple credentials".
parent
964d03bed0
commit
497a0cfe92
|
@ -1,16 +1,20 @@
|
||||||
#### Prerequisites
|
#### Prerequisites
|
||||||
You need the Azure Cli 2.0 tools to create a service principal for access to your DNS Zone.
|
|
||||||
Either install Azure Cli 2.0 locally or use the Azure Cloud Shell in Bash mode.
|
|
||||||
|
|
||||||
See [
|
You need the Azure CLI 2.0 tools to create a service principal for access to your DNS Zone.
|
||||||
Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest)
|
|
||||||
|
Either install Azure CLI 2.0 locally or use the Azure Cloud Shell in Bash mode.
|
||||||
|
|
||||||
|
(See the [
|
||||||
|
Azure Command-Line Interface (CLI) documentation](https://docs.microsoft.com/en-us/cli/azure/overview?view=azure-cli-latest) for more details)
|
||||||
|
|
||||||
#### Log-in to Azure
|
#### Log-in to Azure
|
||||||
(not required when using the Azure Cloud Shell)
|
|
||||||
|
(Not required when using the Azure Cloud Shell)
|
||||||
|
|
||||||
```
|
```
|
||||||
az login
|
az login
|
||||||
```
|
```
|
||||||
|
|
||||||
```json
|
```json
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
|
@ -100,13 +104,16 @@ az network dns zone list
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Create a service principal
|
#### Create a service principal
|
||||||
|
|
||||||
The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output
|
The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output
|
||||||
|
|
||||||
(See https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac for more details )
|
(See the [az ad sp create-for-rbac](https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) documentation for more details)
|
||||||
|
|
||||||
```
|
```
|
||||||
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com
|
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
|
||||||
|
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
```json
|
```json
|
||||||
|
@ -120,35 +127,55 @@ az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor
|
||||||
```
|
```
|
||||||
|
|
||||||
##### Note: Dealing with multiple DNS Zones
|
##### Note: Dealing with multiple DNS Zones
|
||||||
Because by default acme.sh saves the credentials in ~/.acme.sh/account.conf you have to use the same credentials for all your DNS Zones*.
|
|
||||||
|
|
||||||
For example if you are also managing certificates for example.edu you can grant the the service principal acccess to the DNS Zone with:
|
If you are managing certificates for multiple DNS Zones, you can create the service principal with multiple scopes.
|
||||||
|
|
||||||
|
For example, if you are managing certificates for both `example.com` and `example.edu`, you can create the service principal with both scopes:
|
||||||
|
|
||||||
```
|
```
|
||||||
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
|
az ad sp create-for-rbac --name "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
|
||||||
|
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com \
|
||||||
```
|
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns2_rg/providers/Microsoft.Network/dnszones/example.edu
|
||||||
or grant access to the service principal after you created it
|
|
||||||
```
|
|
||||||
az role assignment create --assignee 3b5033b5-7a66-43a5-b3b9-a36b9e7c25ed --role "DNS Zone Contributor" --scope /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
|
|
||||||
```
|
```
|
||||||
|
|
||||||
\*If you want to use different credentials instead use the --accountconf switch to specifiy a configuration file
|
Or if the service principal has already been created, you can grant it access to the additional scope:
|
||||||
|
|
||||||
### Limit access permissions to TXT records
|
```
|
||||||
|
az ad sp list --filter "displayname eq 'AcmeDnsValidator'" | grep '^ \"id\":'
|
||||||
|
```
|
||||||
|
|
||||||
|
(The `grep` above is assuming a json array of nested lists is returned with a tab size of two spaces and is finding the top-level `id`)
|
||||||
|
|
||||||
|
```json
|
||||||
|
"id": "daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
az role assignment create --assignee daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --role "DNS Zone Contributor" --scope \
|
||||||
|
/subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Note: Dealing with multiple credentials
|
||||||
|
|
||||||
|
By default acme.sh saves credentials in `~/.acme.sh/account.conf` and these credentials are used for all DNS zones.
|
||||||
|
|
||||||
|
If you want to use different credentials, use the `--accountconf` switch to specify a configuration file.
|
||||||
|
|
||||||
|
#### Limit access permissions to TXT records
|
||||||
|
|
||||||
In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone.
|
In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone.
|
||||||
(See https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets for more details)
|
|
||||||
|
(See [How to protect DNS zones and records](https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets) for more details)
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
* Azure Subscription is 12345678-9abc-def0-1234-567890abcdef
|
|
||||||
* The resource group of your DNS Zone is exampledns_rg
|
|
||||||
* The DNS Zone is example.com
|
|
||||||
|
|
||||||
|
* Azure Subscription is `12345678-9abc-def0-1234-567890abcdef`
|
||||||
|
* The resource group of your DNS Zone is `exampledns_rg`
|
||||||
|
* The DNS Zone is `example.com`
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
# Create a custom RBAC role that grants permissions to modifiy only TXT records
|
# Create a custom RBAC role that grants permissions to modify only TXT records
|
||||||
dnscustomrole='{
|
dnscustomrole='{
|
||||||
"Name": "DNS TXT Contributor",
|
"Name": "DNS TXT Contributor",
|
||||||
"Id": "",
|
"Id": "",
|
||||||
|
|
Loading…
Reference in New Issue