route53: add assume role ARN (#1650)

Co-authored-by: Fernandez Ludovic <[email protected]>
go-acme · May 27, 2022 · d95b487 · d95b487
1 parent 9b029d5
commit d95b487
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 12 deletions.
diff --git a/cmd/zz_gen_cmd_dnshelp.go b/cmd/zz_gen_cmd_dnshelp.go
@@ -1860,6 +1860,7 @@ func displayDNSHelp(name string) error {
 
 		ew.writeln(`Credentials:`)
 		ew.writeln(`	- "AWS_ACCESS_KEY_ID":	Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`)
+		ew.writeln(`	- "AWS_ASSUME_ROLE_ARN":	Managed by the AWS Role ARN ('AWS_ASSUME_ROLE_ARN' is not supported)`)
 		ew.writeln(`	- "AWS_HOSTED_ZONE_ID":	Override the hosted zone ID.`)
 		ew.writeln(`	- "AWS_PROFILE":	Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`)
 		ew.writeln(`	- "AWS_REGION":	Managed by the AWS client ('AWS_REGION_FILE' is not supported)`)

diff --git a/docs/content/dns/zz_gen_route53.md b/docs/content/dns/zz_gen_route53.md
@@ -30,6 +30,7 @@ _Please contribute by adding a CLI example._
 | Environment Variable Name | Description |
 |-----------------------|-------------|
 | `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) |
+| `AWS_ASSUME_ROLE_ARN` | Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported) |
 | `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. |
 | `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) |
 | `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) |

diff --git a/providers/dns/route53/route53.go b/providers/dns/route53/route53.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/route53"
@@ -31,26 +32,32 @@ const (
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
 	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvAssumeRoleArn      = envNamespace + "ASSUME_ROLE_ARN"
 )
 
 // Config is used to configure the creation of the DNSProvider.
 type Config struct {
-	MaxRetries         int
+	HostedZoneID  string
+	MaxRetries    int
+	AssumeRoleArn string
+
 	TTL                int
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
-	HostedZoneID       string
-	Client             *route53.Route53
+
+	Client *route53.Route53
 }
 
 // NewDefaultConfig returns a default configuration for the DNSProvider.
 func NewDefaultConfig() *Config {
 	return &Config{
-		MaxRetries:         env.GetOrDefaultInt(EnvMaxRetries, 5),
+		HostedZoneID:  env.GetOrFile(EnvHostedZoneID),
+		MaxRetries:    env.GetOrDefaultInt(EnvMaxRetries, 5),
+		AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
+
 		TTL:                env.GetOrDefaultInt(EnvTTL, 10),
 		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
 		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second),
-		HostedZoneID:       env.GetOrFile(EnvHostedZoneID),
 	}
 }
 
@@ -106,17 +113,15 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return &DNSProvider{client: config.Client, config: config}, nil
 	}
 
-	retry := customRetryer{}
-	retry.NumMaxRetries = config.MaxRetries
-	sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
-
-	sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
+	sess, err := createSession(config)
 	if err != nil {
 		return nil, err
 	}
 
-	cl := route53.New(sess)
-	return &DNSProvider{client: cl, config: config}, nil
+	return &DNSProvider{
+		client: route53.New(sess),
+		config: config,
+	}, nil
 }
 
 // Timeout returns the timeout and interval to use when checking for DNS propagation.
@@ -294,3 +299,24 @@ func (d *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
 
 	return hostedZoneID, nil
 }
+
+func createSession(config *Config) (*session.Session, error) {
+	retry := customRetryer{}
+	retry.NumMaxRetries = config.MaxRetries
+
+	sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
+
+	sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
+	if err != nil {
+		return nil, err
+	}
+
+	if config.AssumeRoleArn == "" {
+		return sess, nil
+	}
+
+	return session.NewSession(&aws.Config{
+		Region:      sess.Config.Region,
+		Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn),
+	})
+}
diff --git a/providers/dns/route53/route53.toml b/providers/dns/route53/route53.toml
@@ -69,6 +69,7 @@ The following AWS IAM policy document describes the permissions required for leg
     AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
     AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
     AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
+    AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)"
   [Configuration.Additional]
     AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
     AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"