diff --git a/dnsapi.md b/dnsapi.md index 33d8a6b..bac85ba 100644 --- a/dnsapi.md +++ b/dnsapi.md @@ -989,6 +989,12 @@ The `AUTODNS_USER`, `AUTODNS_PASSWORD` and `AUTODNS_CONTEXT` settings will be sa ## 37. Use Azure DNS +You have three options with Azure DNS: +1. Create and use a Service Principal with client secrets (recommended) +2. Using a Managed Identity (has to run on a resource in Azure) +3. Use a provided Bearer token (advanced scenarios only, the Bearer token has a limited lifetime) + +### Use Service Principal You have to create a service principal first. See: [How to use Azure DNS](https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS) ```sh @@ -1006,18 +1012,34 @@ Then you can issue your certificates with: `AZUREDNS_SUBSCRIPTIONID`, `AZUREDNS_TENANTID`,`AZUREDNS_APPID` and `AZUREDNS_CLIENTSECRET` settings will be saved in `~/.acme.sh/account.conf` and will be reused when needed. -Alternatively, you can use **Managed Identity** assigned to a resource instead of a service prinvcipal. - +### Use Managed Identity You have to assign a managed identity to your resource, usually a VM, as described [here](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). This identity requires [DNS Zone Contributor role](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#dns-zone-contributor). -Before running acme.sh following variables need to bo set: +Before running acme.sh following variables need to be set: `export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef"` `export AZUREDNS_MANAGEDIDENTITY=true` Issuing certificates using managed identity clears previously set settings: `AZUREDNS_TENANTID`, `AZUREDNS_APPID`, `AZUREDNS_CLIENTSECRET`. `AZUREDNS_SUBSCRIPTIONID` and `AZUREDNS_MANAGEDIDENTITY` will be saved in ~/.acme.sh/account.conf for future use. +### Use provided Bearer token +If you want to use Entra Workload ID in a GitHub Action or similar CI/CD scenarios, you have to use a provided Bearer token. + +The identity has to have Azure RBAC to be able to add and delete TXT records in the Azure DNS zone. + +You need to extract the token earlier in your CI/CD, for example with this command: +```sh +az account get-access-token --query accessToken --output tsv +``` +And then pass it to acme.sh with the environment variable `AZUREDNS_BEARERTOKEN`. + +Finally, you need to set the tenant ID and subscription ID in the environment variables `AZUREDNS_TENANTID` and `AZUREDNS_SUBSCRIPTIONID`. + +Then you can issue the certificate with acme.sh, for example: +```sh +./acme.sh --issue --dns dns_azure -d example.com -d *.example.com +```