forked from TrueCloudLab/lego
route53: add assume role ARN (#1650)
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
parent
9b029d53d7
commit
d95b487af1
4 changed files with 41 additions and 12 deletions
|
@ -1860,6 +1860,7 @@ func displayDNSHelp(name string) error {
|
|||
|
||||
ew.writeln(`Credentials:`)
|
||||
ew.writeln(` - "AWS_ACCESS_KEY_ID": Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`)
|
||||
ew.writeln(` - "AWS_ASSUME_ROLE_ARN": Managed by the AWS Role ARN ('AWS_ASSUME_ROLE_ARN' is not supported)`)
|
||||
ew.writeln(` - "AWS_HOSTED_ZONE_ID": Override the hosted zone ID.`)
|
||||
ew.writeln(` - "AWS_PROFILE": Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`)
|
||||
ew.writeln(` - "AWS_REGION": Managed by the AWS client ('AWS_REGION_FILE' is not supported)`)
|
||||
|
|
|
@ -30,6 +30,7 @@ _Please contribute by adding a CLI example._
|
|||
| Environment Variable Name | Description |
|
||||
|-----------------------|-------------|
|
||||
| `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) |
|
||||
| `AWS_ASSUME_ROLE_ARN` | Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported) |
|
||||
| `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. |
|
||||
| `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) |
|
||||
| `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) |
|
||||
|
|
|
@ -10,6 +10,7 @@ import (
|
|||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/client"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go/aws/request"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/route53"
|
||||
|
@ -31,26 +32,32 @@ const (
|
|||
EnvTTL = envNamespace + "TTL"
|
||||
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
|
||||
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
|
||||
EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN"
|
||||
)
|
||||
|
||||
// Config is used to configure the creation of the DNSProvider.
|
||||
type Config struct {
|
||||
HostedZoneID string
|
||||
MaxRetries int
|
||||
AssumeRoleArn string
|
||||
|
||||
TTL int
|
||||
PropagationTimeout time.Duration
|
||||
PollingInterval time.Duration
|
||||
HostedZoneID string
|
||||
|
||||
Client *route53.Route53
|
||||
}
|
||||
|
||||
// NewDefaultConfig returns a default configuration for the DNSProvider.
|
||||
func NewDefaultConfig() *Config {
|
||||
return &Config{
|
||||
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
|
||||
MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5),
|
||||
AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
|
||||
|
||||
TTL: env.GetOrDefaultInt(EnvTTL, 10),
|
||||
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
|
||||
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second),
|
||||
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -106,17 +113,15 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
|
|||
return &DNSProvider{client: config.Client, config: config}, nil
|
||||
}
|
||||
|
||||
retry := customRetryer{}
|
||||
retry.NumMaxRetries = config.MaxRetries
|
||||
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
|
||||
|
||||
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
|
||||
sess, err := createSession(config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cl := route53.New(sess)
|
||||
return &DNSProvider{client: cl, config: config}, nil
|
||||
return &DNSProvider{
|
||||
client: route53.New(sess),
|
||||
config: config,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Timeout returns the timeout and interval to use when checking for DNS propagation.
|
||||
|
@ -294,3 +299,24 @@ func (d *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
|
|||
|
||||
return hostedZoneID, nil
|
||||
}
|
||||
|
||||
func createSession(config *Config) (*session.Session, error) {
|
||||
retry := customRetryer{}
|
||||
retry.NumMaxRetries = config.MaxRetries
|
||||
|
||||
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
|
||||
|
||||
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if config.AssumeRoleArn == "" {
|
||||
return sess, nil
|
||||
}
|
||||
|
||||
return session.NewSession(&aws.Config{
|
||||
Region: sess.Config.Region,
|
||||
Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn),
|
||||
})
|
||||
}
|
||||
|
|
|
@ -69,6 +69,7 @@ The following AWS IAM policy document describes the permissions required for leg
|
|||
AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
|
||||
AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
|
||||
AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
|
||||
AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)"
|
||||
[Configuration.Additional]
|
||||
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
|
||||
AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"
|
||||
|
|
Loading…
Reference in a new issue