diff --git a/letsencrypt/DOCS.md b/letsencrypt/DOCS.md index 0eed66781..4f1465602 100644 --- a/letsencrypt/DOCS.md +++ b/letsencrypt/DOCS.md @@ -1285,6 +1285,24 @@ An example configuration:
route53 +### Option 1: Using AWS profile (recommended for IAM Roles Anywhere) + + ```yaml + email: your.email@example.com + domains: + - your.domain.tld + certfile: fullchain.pem + keyfile: privkey.pem + challenge: dns + dns: + provider: dns-route53 + aws_profile: letsencrypt + ``` + + If present, the AWS config file at `/share/.aws/config` will be used to support `credential_process` for IAM Roles Anywhere. + +### Option 2: Using access keys + ```yaml email: your.email@example.com domains: @@ -1298,6 +1316,8 @@ An example configuration: aws_secret_access_key: 0123456789abcdef0123456789/abcdef0123456 ``` + **Note:** You must provide either `aws_profile` OR both `aws_access_key_id` and `aws_secret_access_key`. If both are configured, `aws_profile` takes precedence. + For security reasons, don't use your main account's credentials. Instead, add a new [AWS user](https://console.aws.amazon.com/iam/home?#/users) with _Access Type: Programmatic access_ and use that user's access key. Assign a minimum [policy](https://console.aws.amazon.com/iam/home?#/policies$new?step=edit) like the following example. Make sure to replace the Resource ARN in the first statement to your domain's hosted zone ARN or use _*_ for all. ```json diff --git a/letsencrypt/config.yaml b/letsencrypt/config.yaml index f78c1e15c..60e232b09 100644 --- a/letsencrypt/config.yaml +++ b/letsencrypt/config.yaml @@ -38,6 +38,7 @@ schema: # Developer note: please add a new plugin alphabetically into all lists aws_access_key_id: str? aws_secret_access_key: str? + aws_profile: str? azure_config: str? cloudflare_api_key: str? cloudflare_api_token: str? diff --git a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run index b4ba9c3ea..a368aada1 100755 --- a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run +++ b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run @@ -281,12 +281,26 @@ if [ "${CHALLENGE}" == "dns" ]; then # route53 - AWS 'dns-route53') - bashio::config.require 'dns.aws_access_key_id' - bashio::config.require 'dns.aws_secret_access_key' - AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')" - AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')" - export AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY + if bashio::config.has_value 'dns.aws_profile'; then + AWS_PROFILE="$(bashio::config 'dns.aws_profile')" + export AWS_PROFILE + # Check for AWS config in /share/.aws (for IAM Roles Anywhere) + if [ -f "/share/.aws/config" ]; then + export AWS_CONFIG_FILE="/share/.aws/config" + bashio::log.info "Using AWS config from /share/.aws/config" + fi + bashio::log.info "Using AWS profile: ${AWS_PROFILE}" + elif bashio::config.has_value 'dns.aws_access_key_id'; then + bashio::config.require 'dns.aws_secret_access_key' + AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')" + AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')" + export AWS_ACCESS_KEY_ID + export AWS_SECRET_ACCESS_KEY + bashio::log.info "Using AWS access key credentials" + else + bashio::log.error "Route 53 requires either 'aws_profile' or 'aws_access_key_id' and 'aws_secret_access_key'" + exit 1 + fi ACME_ARGUMENTS+=("--${DNS_PROVIDER}") ;;