AliyunDNSFullAccess too wide

[panhaoyu]

Hello, nice work.

A suggestion. AliyunDNSFullAccess is too wide, for I will provide the website access permission to others.
Could you please check the minimum permission required?

I'm trying, and after finish, I will provide my experience here.

[tengattack]

You may need custom RAM policy like:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "*",
            "Resource": "acs:alidns:*:*:domain/example.com",
            "Effect": "Allow"
        }
    ]
}

to limit access only for one domain.

[Igotit]

@tengattack need to add another statement:

{
    "Action": [
        "alidns:DescribeSiteMonitorIspInfos",
        "alidns:DescribeSiteMonitorIspCityInfos",
        "alidns:DescribeSupportLines",
        "alidns:DescribeDomains",
        "alidns:DescribeDomainNs",
        "alidns:DescribeDomainGroups"
    ],
    "Resource": "acs:alidns:*:*:*",
    "Effect": "Allow"
}

ref: https://help.aliyun.com/document_detail/61723.html

[bolyage]

It doesn't work for me.

RAM policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": "*",
            "Resource": "acs:alidns:*:*:domain/aaaaaa.com",
            "Effect": "Allow"
        }
    ]
}

log

+ docker run -ti --rm -v /data/services/certbot-dns-aliyun/scripts/credentials:/root/.secrets -v /data/services/certbot-dns-aliyun/scripts/letsencrypt:/etc/letsencrypt -v /data/services/certbot-dns-aliyun/scripts/nginx:/etc/nginx/conf.d certbot/dns-aliyun -c /etc/letsencrypt/cli.ini
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.aaaaaa.com and *.dev.aaaaaa.com
Encountered exception during recovery: certbot_dns_aliyun.alidns.AliError: User not authorized to operate on the specified resource, or this API doesn't support RAM
An unexpected error occurred:
certbot_dns_aliyun.alidns.AliError: User not authorized to operate on the specified resource, or this API doesn't support RAM
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[tengattack]

@bolyage Try add another statement in Statement mentioned by @Igotit

[bolyage]

@bolyage Try add another statement in Statement mentioned by @Igotit

I have found another way to make it work, using ResourceGroup to isolate resources.

1. Modify alidns.py : add ResourceGroupId param.

import os
....
    def _find_domain_id(self, domain):
        domain_name_guesses = dns_common.base_domain_name_guesses(domain)

        for domain_name in domain_name_guesses:
            r = self._request('DescribeDomains', {
                'KeyWord': domain_name,
                'ResourceGroupId': os.environ.get('ALIDNS_RESOURCE_GROUP_ID'),
            })
            for d in r['Domains']['Domain']:
                if d['DomainName'] == domain_name:
                    return domain_name

        raise errors.PluginError('Unable to determine zone identifier for {0} using zone names: {1}'
                                 .format(domain, domain_name_guesses))

2. Modify get cret docker run command: add ALIDNS_RESOURCE_GROUP_ID and mount alidns.py.

docker run -it --rm \
    -e "ALIYUN_AK=xxxxxx" \
    -e "ALIYUN_SK=xxxxxx" \
    -e "EMAIL=xxxxxx" \
    -e "ALIDNS_RESOURCE_GROUP_ID=xxxxx" \
    -v /data/cert/xxxxx:/etc/letsencrypt/ \
    -v /data/certbot-dns-aliyun-docker/alidns.py:/opt/certbot/lib/python3.8/site-packages/certbot_dns_aliyun/alidns.py \
    certbot obtain_cert \
    -d "xxxxx.com" \
    -d "*.xxxx.com"

3. Modify renew docker run command : add ALIDNS_RESOURCE_GROUP_ID and mount alidns.py.

docker run -it --rm \
    -e "ALIDNS_RESOURCE_GROUP_ID=xxxxxx" \
    -v /data/cert:/etc/letsencrypt/ \
    -v /data/services/certbot-dns-aliyun-docker/alidns.py:/opt/certbot/lib/python3.8/site-packages/certbot_dns_aliyun/alidns.py \
    certbot renew_certs