Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for a separate AWS account for Route53. #98

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ environment variable. This should be a JSON object with the following schema:
"port": "optional, defaults to 443 (integer)"
},
"hosts": ["list of hosts you want on the certificate (strings)"],
"key_type": "rsa or ecdsa, optional, defaults to rsa (string)"
"key_type": "rsa or ecdsa, optional, defaults to rsa (string)",
"route53_type": "route53"
}
],
"acme_account_key": "location of the account private key (string)",
Expand All @@ -76,6 +77,11 @@ To specify a local file you provide `"file:///path/to/key.pem"` (on Windows use
`"s3://bucket-name/object-name"`. The key should be a PEM formatted RSA private
key.

The `route53_type` should either be empty (to use the default AWS credentials) or
set to `"route53"`, which means that the credentials used for route53 only are
drawn from the environment variable `AWS_ROUTE53_CREDENTIALS_FILE` instead of
`AWS_SHARED_CREDENTIALS_FILE` (which is still used for the rest).

Then you can simply run it: `python letsencrypt-aws.py update-certificates`.

If you add the `--persistent` flag it will run forever, rather than just once,
Expand Down
34 changes: 31 additions & 3 deletions letsencrypt-aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -489,12 +489,11 @@ def update_certificates(persistent=False, force_issue=False):
if persistent and force_issue:
raise ValueError("Can't specify both --persistent and --force-issue")

# Set up basic session, in case credentials are stored in S3
session = boto3.Session()
s3_client = session.client("s3")
elb_client = session.client("elb")
route53_client = session.client("route53")
iam_client = session.client("iam")

# Collect various config stuff
config = json.loads(os.environ["LETSENCRYPT_AWS_CONFIG"])
domains = config["domains"]
acme_directory_url = config.get(
Expand All @@ -505,6 +504,25 @@ def update_certificates(persistent=False, force_issue=False):
s3_client, acme_directory_url, acme_account_key
)

# Find appropriate credentials
creds_default = os.environ["AWS_SHARED_CREDENTIALS_FILE"]
try:
creds_route53 = os.environ["AWS_ROUTE53_CREDENTIALS_FILE"]
except KeyError:
creds_route53 = ''

# Set up other clients
elb_client = session.client("elb")
iam_client = session.client("iam")

# Set up route53 clients
route53_client_basic = session.client("route53")
if creds_route53:
os.environ["AWS_SHARED_CREDENTIALS_FILE"] = creds_route53
route53_session = boto3.Session()
route53_client_other = route53_session.client("route53")
os.environ["AWS_SHARED_CREDENTIALS_FILE"] = creds_default

certificate_requests = []
for domain in domains:
if "elb" in domain:
Expand All @@ -517,6 +535,16 @@ def update_certificates(persistent=False, force_issue=False):
"Unknown certificate location: {!r}".format(domain)
)

try:
if domain["Route53Type"] == 'route53':
if not route53_client_other:
raise ValueError("Error: route53 creds requested, but not found")
route53_client = route53_client_other
else:
route53_client = route53_client_basic
except KeyError:
route53_client = route53_client_basic

certificate_requests.append(CertificateRequest(
cert_location,
Route53ChallengeCompleter(route53_client),
Expand Down