feat(letsencrypt): Add AWS profile support for Route 53 DNS challenge

letsencrypt/DOCS.md

@@ -1285,6 +1285,24 @@ An example configuration:
 <details>
   <summary>route53</summary>
 
+  ### Option 1: Using AWS profile (recommended for IAM Roles Anywhere)
+
+  ```yaml
+  email: your.email@example.com
+  domains:
+    - your.domain.tld
+  certfile: fullchain.pem
+  keyfile: privkey.pem
+  challenge: dns
+  dns:
+    provider: dns-route53
+    aws_profile: letsencrypt
+  ```
+
+  If present, the AWS config file at `/share/.aws/config` will be used to support `credential_process` for IAM Roles Anywhere.
+
+  ### Option 2: Using access keys
+
   ```yaml
   email: your.email@example.com
   domains:
@@ -1298,6 +1316,8 @@ An example configuration:
     aws_secret_access_key: 0123456789abcdef0123456789/abcdef0123456
   ```
 
+  **Note:** You must provide either `aws_profile` OR both `aws_access_key_id` and `aws_secret_access_key`. If both are configured, `aws_profile` takes precedence.
+
 For security reasons, don't use your main account's credentials. Instead, add a new [AWS user](https://console.aws.amazon.com/iam/home?#/users) with _Access Type: Programmatic access_ and use that user's access key. Assign a minimum [policy](https://console.aws.amazon.com/iam/home?#/policies$new?step=edit) like the following example. Make sure to replace the Resource ARN in the first statement to your domain's hosted zone ARN or use _*_ for all.
 
   ```json

letsencrypt/config.yaml

@@ -38,6 +38,7 @@ schema:
     # Developer note: please add a new plugin alphabetically into all lists
     aws_access_key_id: str?
     aws_secret_access_key: str?
+    aws_profile: str?
     azure_config: str?
     cloudflare_api_key: str?
     cloudflare_api_token: str?

letsencrypt/rootfs/etc/services.d/lets-encrypt/run

@@ -281,12 +281,26 @@ if [ "${CHALLENGE}" == "dns" ]; then
 
         # route53 - AWS
         'dns-route53')
-            bashio::config.require 'dns.aws_access_key_id'
-            bashio::config.require 'dns.aws_secret_access_key'
-            AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')"
-            AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')"
-            export AWS_ACCESS_KEY_ID
-            export AWS_SECRET_ACCESS_KEY
+            if bashio::config.has_value 'dns.aws_profile'; then
+                AWS_PROFILE="$(bashio::config 'dns.aws_profile')"
+                export AWS_PROFILE
+                # Check for AWS config in /share/.aws (for IAM Roles Anywhere)
+                if [ -f "/share/.aws/config" ]; then
+                    export AWS_CONFIG_FILE="/share/.aws/config"
+                    bashio::log.info "Using AWS config from /share/.aws/config"
+                fi
+                bashio::log.info "Using AWS profile: ${AWS_PROFILE}"
+            elif bashio::config.has_value 'dns.aws_access_key_id'; then
+                bashio::config.require 'dns.aws_secret_access_key'
+                AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')"
+                AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')"
+                export AWS_ACCESS_KEY_ID
+                export AWS_SECRET_ACCESS_KEY
+                bashio::log.info "Using AWS access key credentials"
+            else
+                bashio::log.error "Route 53 requires either 'aws_profile' or 'aws_access_key_id' and 'aws_secret_access_key'"
+                exit 1
+            fi
             ACME_ARGUMENTS+=("--${DNS_PROVIDER}")
             ;;