feat(letsencrypt): Add AWS profile support for Route 53 DNS challenge

[jsamuel1]

Summary

Add support for AWS named profiles in the Route 53 DNS provider, enabling IAM Roles Anywhere authentication with credential_process.

Changes

• Add aws_profile option to config schema
• Auto-detect /share/.aws/config for credential_process support
• Require either aws_profile OR aws_access_key_id + aws_secret_access_key (no implicit default credential chain)
• Update documentation with both authentication options

Use Case

This enables users to authenticate with AWS using X.509 certificates via IAM Roles Anywhere instead of static IAM access keys. Benefits:

• Short-lived credentials (1 hour by default)
• No static access keys to manage or rotate
• Certificate-based authentication

Configuration Example

Using AWS Profile (IAM Roles Anywhere):

dns:
  provider: dns-route53
  aws_profile: letsencrypt

Using Access Keys (existing behavior):

dns:
  provider: dns-route53
  aws_access_key_id: AKIA...
  aws_secret_access_key: ...

Testing

Tested on Home Assistant OS (aarch64) with IAM Roles Anywhere and aws_signing_helper credential_process.

Summary by CodeRabbit

• New Features

  • Route53 DNS now supports using an AWS profile as an authentication option in addition to access key/secret.

• Documentation

  • Added guidance for both AWS Profile and access key methods, noted that profile takes precedence when both are set, and documented use of shared AWS config for advanced credential flows.

• Bug Fixes

  • Removed previous unconditional requirement for access keys; credential handling clarified.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[home-assistant]

Hi @jsamuel1

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

Stale

[coderabbitai]

Warning

Rate limit exceeded

@jsamuel1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 19 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 79460af and 3f5a4b4.

📒 Files selected for processing (1)

• letsencrypt/DOCS.md

📝 Walkthrough

Walkthrough

Adds AWS Route53 credential options for Let's Encrypt DNS validation: supports either aws_profile (optionally using /share/.aws/config) or aws_access_key_id + aws_secret_access_key; updates docs, config schema, and the runtime service script to validate and export the chosen credentials.

Changes

Cohort / File(s)	Summary
Documentation letsencrypt/DOCS.md	Added Route53 credential documentation showing two options: aws_profile (with note about /share/.aws/config for credential_process) and explicit aws_access_key_id/aws_secret_access_key; includes YAML examples and precedence note (profile wins).
Configuration Schema letsencrypt/config.yaml	Added new optional aws_profile: str? field under the DNS provider configuration.
Runtime Logic letsencrypt/rootfs/etc/services.d/lets-encrypt/run	Updated Route53 credential handling: if dns.aws_profile present, export AWS_PROFILE (and optionally set AWS_CONFIG_FILE); else if dns.aws_access_key_id present, require and export AWS_SECRET_ACCESS_KEY; else log error and exit. Replaced prior unconditional access-key requirement and added logging of chosen method.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding AWS profile support for Route 53 DNS challenge, which is the primary feature added across the config, documentation, and runtime changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @letsencrypt/DOCS.md:
- Line 1288: Replace the bold text "**Option 1: Using AWS Profile (recommended
for IAM Roles Anywhere)**" with a proper markdown heading using sentence-style
capitalization (for example: "## Option 1: Using AWS profile (recommended for
IAM Roles Anywhere)"), and make the identical change for the other occurrence
noted (line 1304) so both use headings instead of bolded text.

🧹 Nitpick comments (2)

letsencrypt/DOCS.md (2)

1302-1302: Clarify that the AWS config file is optional.

The current wording "uses the AWS credentials file" could imply it's required. Consider clarifying that the config file at /share/.aws/config is optional and will be used if present.

✍️ Suggested clarity improvement

-  This uses the AWS credentials file at `/share/.aws/config` with a `credential_process` for IAM Roles Anywhere.
+  If present, the AWS config file at `/share/.aws/config` will be used to support `credential_process` for IAM Roles Anywhere.

---

1319-1319: Consider clarifying precedence when both options are provided.

While the note correctly states the requirement, it doesn't clarify what happens if a user provides both aws_profile AND access keys. The implementation (line 284 in run script) gives precedence to aws_profile, which users might want to know.

✍️ Optional precedence clarification

-  **Note:** You must provide either `aws_profile` OR both `aws_access_key_id` and `aws_secret_access_key`.
+  **Note:** You must provide either `aws_profile` OR both `aws_access_key_id` and `aws_secret_access_key`. If both are configured, `aws_profile` takes precedence.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 104349e and e13f46c.

📒 Files selected for processing (3)

• letsencrypt/DOCS.md
• letsencrypt/config.yaml
• letsencrypt/rootfs/etc/services.d/lets-encrypt/run

🧰 Additional context used

📓 Path-based instructions (1)

*/**(html|markdown|md)

⚙️ CodeRabbit configuration file

*/**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

*/**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

• Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

• Use sentence-style capitalization also in headings.

do not comment on HTML used for icons

Avoid flagging inline HTML for embedding videos in future reviews for this repository.

Files:

• letsencrypt/config.yaml
• letsencrypt/DOCS.md

🪛 markdownlint-cli2 (0.18.1)

letsencrypt/DOCS.md

1288-1288: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

1304-1304: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (3)

letsencrypt/config.yaml (1)

41-41: LGTM! AWS profile configuration added correctly.

The new aws_profile field follows the existing schema conventions and aligns with the dual authentication approach implemented in the run script.

letsencrypt/DOCS.md (1)

1288-1319: Documentation accurately reflects the implementation.

The two authentication options are well-documented with clear examples and security guidance. The changes align with the runtime behavior in the run script.

letsencrypt/rootfs/etc/services.d/lets-encrypt/run (1)

284-303: Excellent implementation of mutually exclusive authentication methods.

The credential handling logic is well-structured:

• Proper precedence: aws_profile checked first, then access keys
• Validation: aws_secret_access_key required when aws_access_key_id is provided
• Clear error handling: Exit with informative message if neither method is configured
• Security: No sensitive values logged
• Optional config file support: Correctly checks for and uses /share/.aws/config when present

The implementation enforces the "no implicit default credential chain" requirement mentioned in the PR objectives.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @letsencrypt/DOCS.md:
- Line 1288: Remove the leading spaces before the Markdown headings so they
start at column 1; specifically edit the headings "### Option 1: Using AWS
profile (recommended for IAM Roles Anywhere)" and the heading at line 1304 so
the `###` markers have no indentation, ensuring compliance with MD023.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between e13f46c and 79460af.

📒 Files selected for processing (1)

• letsencrypt/DOCS.md

🧰 Additional context used

📓 Path-based instructions (1)

*/**(html|markdown|md)

⚙️ CodeRabbit configuration file

*/**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

*/**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

• Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

• Use sentence-style capitalization also in headings.

do not comment on HTML used for icons

Avoid flagging inline HTML for embedding videos in future reviews for this repository.

Files:

• letsencrypt/DOCS.md

🪛 markdownlint-cli2 (0.18.1)

letsencrypt/DOCS.md

1288-1288: Headings must start at the beginning of the line

(MD023, heading-start-left)

---

1304-1304: Headings must start at the beginning of the line

(MD023, heading-start-left)

🔇 Additional comments (1)

letsencrypt/DOCS.md (1)

1288-1319: Documentation for Route53 AWS authentication options is clear and complete.

The updated Route53 section properly documents both authentication methods (AWS profile via aws_profile and access keys), includes practical YAML examples for each, auto-detection of /share/.aws/config for credential_process, and explicitly states the precedence behavior. This aligns well with the PR objectives and coding guidelines.

[sairon]

We migrated to certbot-dns-multi in #4407, so this will need rebasing and adjusting for the route53 provider from the Lego library: https://go-acme.github.io/lego/dns/route53/index.html