TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

[plugin/route53] Deprecate plaintext secret in Corefile for route53 plugin (#5228)

Browse source 
This PR deprecates plaintext secret in Corefile for route53 plugin (`aws_access_key`).
Since using environmental variables of `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
have already been available, no other changes other than deprecation is needed.

This will avoid saving plaintext secret in Corefile which could be
of security concern.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
Yong Tang 2022-03-11 11:32:44 -08:00 committed by GitHub
parent 4b597f8308
commit 6bb2db758f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
plugin/route53/README.md
View file

@ -15,7 +15,7 @@ The route53 plugin can be used when coredns is deployed on AWS or elsewhere.
~~~ txt ~~~ txt
route53 [ZONE:HOSTED_ZONE_ID...] { route53 [ZONE:HOSTED_ZONE_ID...] {
aws_access_key [AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY] aws_access_key [AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY] # Deprecated, uses other authentication methods instead.
aws_endpoint ENDPOINT aws_endpoint ENDPOINT
credentials PROFILE [FILENAME] credentials PROFILE [FILENAME]
fallthrough [ZONES...] fallthrough [ZONES...]
@ -34,6 +34,9 @@ route53 [ZONE:HOSTED_ZONE_ID...] {
to be used when query AWS (optional). If they are not provided, then coredns tries to access to be used when query AWS (optional). If they are not provided, then coredns tries to access
AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file, AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file,
instance profile credentials, etc. instance profile credentials, etc.
Note the usage of `aws_access_key` has been deprecated and may be removed in future versions. Instead,
user can use other methods to pass crentials, e.g., with environmental variable `AWS_ACCESS_KEY_ID` and
`AWS_SECRET_ACCESS_KEY`, respectively.
* `aws_endpoint` can be used to control the endpoint to use when querying AWS (optional). **ENDPOINT** is the * `aws_endpoint` can be used to control the endpoint to use when querying AWS (optional). **ENDPOINT** is the
URL of the endpoint to use. If this is not provided the default AWS endpoint resolution will occur. URL of the endpoint to use. If this is not provided the default AWS endpoint resolution will occur.
@ -74,7 +77,7 @@ Enable route53 with explicit AWS credentials:
~~~ txt ~~~ txt
example.org { example.org {
route53 example.org.:Z1Z2Z3Z4DZ5Z6Z7 { route53 example.org.:Z1Z2Z3Z4DZ5Z6Z7 {
aws_access_key AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY aws_access_key AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY # Deprecated, uses other authentication methods instead.
} }
} }
~~~ ~~~
@ -115,3 +118,11 @@ example.org {
} }
} }
~~~ ~~~
## Authentication
Route53 plugin uses [AWS Go SDK](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html)
for authentication, where there is a list of accepted configuration methods.
Note the usage of `aws_access_key` in Corefile has been deprecated and may be removed in future versions. Instead,
user can use other methods to pass crentials, e.g., with environmental variable `AWS_ACCESS_KEY_ID` and
`AWS_SECRET_ACCESS_KEY`, respectively.

1
plugin/route53/setup.go
View file

@ -80,6 +80,7 @@ func setup(c *caddy.Controller) error {
SecretAccessKey: v[1], SecretAccessKey: v[1],
}, },
}) })
log.Warningf("Save aws_access_key in Corefile has been deprecated, please use other authentication methods instead")
case "aws_endpoint": case "aws_endpoint":
if c.NextArg() { if c.NextArg() {
endpoint = c.Val() endpoint = c.Val()