search
githubEdit

Amazon Route 53

hashtag
Configuration

To use this provider, add an entry to creds.json with TYPE set to ROUTE53 along with API credentials.

Example:

creds.json
{
  "r53_main": {
    "TYPE": "ROUTE53",
    "DelegationSet": "optional-delegation-set-id",
    "KeyId": "your-aws-key",
    "SecretKey": "your-aws-secret-key",
    "Token": "optional-sts-token"
  }
}

Alternatively you can also use environment variables. This is discouraged unless your environment provides them already.

export AWS_ACCESS_KEY_ID=XXXXXXXXX
export AWS_SECRET_ACCESS_KEY=YYYYYYYYY
export AWS_SESSION_TOKEN=ZZZZZZZZ
creds.json
{
  "r53_main": {
    "TYPE": "ROUTE53",
    "KeyId": "$AWS_ACCESS_KEY_ID",
    "SecretKey": "$AWS_SECRET_ACCESS_KEY"
  }
}

Alternatively, this provider supports named profilesarrow-up-right. In that case export the following variable:

and provide a minimal entry in creds.json:

Example:

Alternatively, this provider also supports RoleArn with an optional ExternalId

Example:

You can find some other ways to authenticate to Route53 in the go sdk configurationarrow-up-right.

hashtag
Metadata

This provider does not recognize any special metadata fields unique to route 53.

hashtag
Usage

An example configuration:

hashtag
Split horizon

This provider supports split horizons using the R53_ZONE() domain function.

In this example the domain testzone.net appears in the same account twice, each with different zone IDs specified using R53_ZONE().

hashtag
Activation

DNSControl depends on a standard AWS access keyarrow-up-right with permission to list, create and update hosted zones. If you do not have the permissions required you will receive the following error message Check your credentials, your not authorized to perform actions on Route 53 AWS Service.

You can apply the AmazonRoute53FullAccess policy however this includes access to many other areas of AWS. The minimum permissions required are as follows:

If Route53 is also your registrar, you will need route53domains:UpdateDomainNameservers and route53domains:GetDomainDetail as well and possibly others.

hashtag
New domains

If a domain does not exist in your Route53 account, DNSControl will not automatically add it with the push command. You can do that either manually via the control panel, or via the command dnscontrol create-domains command.

hashtag
Delegation Sets

Creation of new delegation sets are not supported by this code. However, if you have a delegation set already created, ala:

You can then reference the DelegationSet.Id in your r53_main block (with your other credentials) to have all created domains placed in that delegation set. Note that you you only want the portion of the Id after the /delegationset/ (the 12312312123 in the example above).

Delegation sets only apply during create-domains at the moment. Further work needs to be done to have them apply during push.

hashtag
Caveats

hashtag
Route53 errors if it is not the DnsProvider

This code may not function properly if a domain has R53 as a Registrar but not as a DnsProvider. The situation is described in PR#155arrow-up-right.

In this situation you will see a message like: (This output assumes the --full flag)

If this happens to you, we'd appreciate it if you could help us fix the code. In the meanwhile, you can give the account additional IAM permissions so that it can do DNS-related actions, or simply use NewRegistrar(..., "NONE") for now.

hashtag
Bug when converting new zones

You will see some weirdness if:

  1. A CNAME was created using the web UI

  2. The CNAME's target does NOT end with a dot.

What you will see: When DNSControl tries to update such records, R53 only updates the first one. For example if DNSControl is updating 3 such records, you will need to run dnscontrol push three times for all three records to update. Each time DNSControl is sending three modify requests but only the first is executed. After all such records are modified by DNSControl, everything works as expected.

We believe this is a bug with R53.

This is only a problem for users converting old zones to DNSControl.

circle-info

NOTE: When converting zones that include such records, the get-zones command will generate CNAME() records without the trailing dot. You should manually add the dot. Run dnscontrol preview as normal to check your work. However when you run dnscontrol push you'll find you have to run it multiple times, each time one of those corrections executes and the others do not. Once all such records are replaced this problem disappears.

More info is available in #891arrow-up-right.

hashtag
Error messages

hashtag
Creds key mismatch

This means that the creds.json entry isn't found. Either there is no entry, or the entry name doesn't match the first parameter in the NewDnsProvider() call. In the above example, note that the string r53_main is specified in NewDnsProvider("r53_main") and that is the exact key used in the creds file above.

hashtag
Invalid KeyId

This means the KeyId is unknown to AWS.

hashtag
Invalid SecretKey

This means the SecretKey is incorrect. It may be a quoting issue.

hashtag
Incomplete Signature

This means a space is present in one or more of the credential values.

PreviousAlibaba Cloud DNS (ALIDNS)NextAutoDNS

Last updated