Add cross-account AssumeRole support for Route 53 DNS validation.#749
Open
VA6DAH wants to merge 1 commit into
Open
Add cross-account AssumeRole support for Route 53 DNS validation.#749VA6DAH wants to merge 1 commit into
VA6DAH wants to merge 1 commit into
Conversation
Contributor
|
Thanks for your proposal, it's much appreciated. A few things:
|
Author
|
Hey Chris, Yes. This was written with curser. My initial attempt only touched the route 53 provider but that the change caused the provider to disappear entirely from the list. The only time I got it to work without touching other components all the new fields appeared in the DNS-01 configuration on the certificate config instead of within the credential config.
|
Authenticate with IAM access keys stored in credentials, optionally assume a role in another AWS account via STS, and use the resulting session credentials to update Route 53 for ACME DNS-01 challenges. Assume-role settings use default IsCredential (stored credentials); zone ID and propagation delay remain certificate parameters.
51a81a2 to
eaff92b
Compare
Author
|
You were absolutely right. Did some more digging and was able to accomplish the goal with the editing of two files. How does this look now? Dakota |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional STS AssumeRole support to the Amazon Route 53 DNS-01 provider so Certify can update hosted zones in a different AWS account than the IAM user whose access keys are stored in credentials.
Assume-role settings are defined on the provider using the existing
IsCredentialparameter model: they appear under stored credentials (access keys, assume-role toggle, role ARN, session name, optional external ID). Certificate configuration keeps only DNS Zone Id and propagation delay.Scope: changes are limited to the Route 53 plugin (
DnsProviderAWSRoute53.csandPlugin.DNS.AWSRoute53.csproj) only.Why this matters (especially in AWS Organizations)
In many AWS Organizations, DNS is centralized in a shared/network account while applications and certificate workloads run in member accounts. Route 53 hosted zones often cannot (and should not) be managed from the same account that runs the app server.
Without AssumeRole, operators typically must either:
AssumeRole is the standard AWS pattern for this:
sts:AssumeRoleonly.sts:AssumeRoleon one role. Target role: scopedroute53:ChangeResourceRecordSetson specific hosted zones.What changed
DnsProviderAWSRoute53.cssts:AssumeRolewith the caller's access keys, then creates the Route 53 client with temporary session credentials.CertifyTheWeb), and optional External ID.IsCredential(same pattern as Cloudflare/Azure); onlyzoneidandpropagationdelayremain certificate parameters (IsCredential=false).Plugin.DNS.AWSRoute53.csprojAWSSDK.SecurityTokenand pins alignedAWSSDK.Core/AWSSDK.Route53versions to avoidTypeLoadExceptionat plugin load.Credential vs certificate configuration
Screenshot
Test plan
Verified: staging certificate request log
Cross-account setup: caller IAM user in workload account →
sts:AssumeRole→arn:aws:iam::123456789012:role/CertifyRoute53→ TXT create/validate/delete in hosted zone/hostedzone/Z0EXAMPLEZONEIDforexample.com.(Domain, AWS account ID, hosted zone ID, ACME order/challenge URLs, and DNS-01 token value redacted.)
Key lines:
Route53 :: Initialized with assumed role …before TXT create and cleanup; challenge validation completed; certificate issued and stored.Notes for reviewers
IsCredentialonProviderParameter); no changes outside the Route 53 plugin.AWSSDK.SecurityTokenis added alongside pinned Core/Route53 versions so the plugin loads reliably when SecurityToken is required.