1
0
mirror of https://github.com/go-acme/lego.git synced 2024-11-25 00:56:20 +02:00

route53: add assume role ARN (#1650)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
nonchan 2022-05-28 01:32:39 +09:00 committed by GitHub
parent 9b029d53d7
commit d95b487af1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 41 additions and 12 deletions

View File

@ -1860,6 +1860,7 @@ func displayDNSHelp(name string) error {
ew.writeln(`Credentials:`)
ew.writeln(` - "AWS_ACCESS_KEY_ID": Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`)
ew.writeln(` - "AWS_ASSUME_ROLE_ARN": Managed by the AWS Role ARN ('AWS_ASSUME_ROLE_ARN' is not supported)`)
ew.writeln(` - "AWS_HOSTED_ZONE_ID": Override the hosted zone ID.`)
ew.writeln(` - "AWS_PROFILE": Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`)
ew.writeln(` - "AWS_REGION": Managed by the AWS client ('AWS_REGION_FILE' is not supported)`)

View File

@ -30,6 +30,7 @@ _Please contribute by adding a CLI example._
| Environment Variable Name | Description |
|-----------------------|-------------|
| `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) |
| `AWS_ASSUME_ROLE_ARN` | Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported) |
| `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. |
| `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) |
| `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) |

View File

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/client"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/route53"
@ -31,26 +32,32 @@ const (
EnvTTL = envNamespace + "TTL"
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN"
)
// Config is used to configure the creation of the DNSProvider.
type Config struct {
HostedZoneID string
MaxRetries int
AssumeRoleArn string
TTL int
PropagationTimeout time.Duration
PollingInterval time.Duration
HostedZoneID string
Client *route53.Route53
}
// NewDefaultConfig returns a default configuration for the DNSProvider.
func NewDefaultConfig() *Config {
return &Config{
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5),
AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
TTL: env.GetOrDefaultInt(EnvTTL, 10),
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second),
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
}
}
@ -106,17 +113,15 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
return &DNSProvider{client: config.Client, config: config}, nil
}
retry := customRetryer{}
retry.NumMaxRetries = config.MaxRetries
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
sess, err := createSession(config)
if err != nil {
return nil, err
}
cl := route53.New(sess)
return &DNSProvider{client: cl, config: config}, nil
return &DNSProvider{
client: route53.New(sess),
config: config,
}, nil
}
// Timeout returns the timeout and interval to use when checking for DNS propagation.
@ -294,3 +299,24 @@ func (d *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
return hostedZoneID, nil
}
func createSession(config *Config) (*session.Session, error) {
retry := customRetryer{}
retry.NumMaxRetries = config.MaxRetries
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
if err != nil {
return nil, err
}
if config.AssumeRoleArn == "" {
return sess, nil
}
return session.NewSession(&aws.Config{
Region: sess.Config.Region,
Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn),
})
}

View File

@ -69,6 +69,7 @@ The following AWS IAM policy document describes the permissions required for leg
AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)"
[Configuration.Additional]
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"