Automate DNS-01 with Route 53
Connecting Route 53 lets aethercert create and remove the DNS TXT records ACME uses for DNS-01 validation automatically.
1. Create a scoped IAM user in AWS
- Sign in to the AWS IAM console and find your hosted zone's ID under Route 53 (Hosted zones).
- Create an IAM policy scoped to that zone, granting only
route53:ChangeResourceRecordSetsandroute53:GetChangeonarn:aws:route53:::hostedzone/<your-zone-id>(androute53:ListHostedZones/route53:ListResourceRecordSetsat the account level, since those can't be scoped to a single zone). - Create an IAM user (or role) with no console access, attach the policy, and generate an access key pair for it.
2. Connect it in aethercert
- Make sure the domain is already added and verified under Build > Domains (or Manage > Domains for an existing one).
- On that domain's setup step 2 ("DNS provider"), choose AWS Route 53 from the provider dropdown.
- Enter the Access key ID and Secret access key.
- Leave Region as
us-east-1unless AWS support tells you otherwise - Route 53 itself is global. - Optionally set Hosted zone ID directly if you'd rather skip the zone lookup step.
- Click Test & save - aethercert verifies the credentials can actually reach the zone before saving them.
3. Use it
Any certificate you create for this domain (or its subdomains) can now use DNS-01, including wildcards. Credentials are stored write-only and never displayed back in the dashboard once saved.