CertAutoPilot logo CertAutoPilot
Get started

DNS providers

Per-provider authentication and required permissions for the 12 DNS providers CertAutoPilot speaks for DNS-01 challenge automation.

01Overview

For DNS-01, the worker creates a temporary TXT record at _acme-challenge.<name>, waits for the CA to validate it, then deletes the record. CertAutoPilot scopes the credential to the smallest permission that allows that — typically zone-level DNS edit, never account-wide write.

02Cloudflare

Create an API Token with Zone → DNS → Edit scoped to the relevant zone. Paste the token. Account ID and zone ID are auto-discovered.

Permissions: Zone → DNS → Edit
Zone Resources: Include → Specific Zone → example.com

03AWS Route 53

Two auth modes — IAM access keys or instance-profile (EC2/EKS). For keys, attach this minimum policy to the user:

{"Effect":"Allow",
 "Action":["route53:ChangeResourceRecordSets","route53:GetChange","route53:ListResourceRecordSets"],
 "Resource":["arn:aws:route53:::hostedzone/Z123ABC..."]}

Use instance-profile when the worker runs on EC2 or EKS — paste no keys; CertAutoPilot uses IMDSv2.

04Google Cloud DNS

Create a service account with role DNS Administrator on the target zone. Download the JSON key and paste it into the credential. Workload Identity is supported on GKE.

05Azure DNS

Service principal with role DNS Zone Contributor on the resource group. Required fields: tenant ID, subscription ID, client ID, client secret. Federated workload identity works on AKS.

06DigitalOcean

Personal Access Token with read + write scope. There is no zone-level scoping; this is the only DO option.

07GoDaddy

API key + secret pair. Production keys come from the Production tab; do not use the OTE/sandbox keys.

08AWS Lightsail

IAM user with lightsail:*Domain*. Lightsail DNS is a different API from Route 53 even though they're both AWS.

09UltraDNS

Username + password against the v3 REST API. Use a dedicated automation account with restricted IP allow-listing.

10Akamai EdgeDNS

EdgeGrid credentials (host, client_token, client_secret, access_token). Generate from the Akamai Control Center → Identity & Access → API Clients. Required permission: DNS-Zone-Record-Management — READ-WRITE.

11Hetzner

API token from the Hetzner DNS Console. There is one global scope; scope by zone via separate tokens if you need least-privilege.

12OVH

Application key + application secret + consumer key. Generate via OVH's Create Token tool with paths GET/POST/DELETE /domain/zone/*.

13Namecheap

Username + API key, plus the public IP of every worker (Namecheap requires IP allow-listing on the API). For Kubernetes, this means a static egress IP via a NAT gateway.

14Testing the credential

Every credential form has a Test connectivity button — it lists zones and verifies write access by creating and deleting a TXT probe record. Always click it before saving.