Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Rotation of AWS IAM credentials

Scheduled Pinned Locked Moved Solved Support
awsroute53domainsapi
12 Posts 2 Posters 139 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    P Offline
    prusaman
    wrote on last edited by girish
    #1

    Following the docs here, I have cloudron up and running with AWS route53 and all appears to be working fine. The problem comes every time I need to rotate my AWS IAM keys. Currently I am manually updating these credentials and saving them through the web UI.

    Based on https://docs.cloudron.io/api.html#tag/Domains/paths/~1domains~1{domain}/put it appears that I can do this through the API, do you by change have an example of the Config parameter in use?

    Im guessing the best approach to this would be to install the AWS cli on the cloudron server and call it via cron to execute the credential rotation and call the API to update the domain. Thoughts? I just want to make sure I am not missing an obvious configuration option you already have to handle such issues.

    girishG 1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to prusaman on last edited by
    #2

    @prusaman the config is an object with accessKeyId and secretAccessKey.

    It might be easier to just create long(ish) keys which are scoped to just route53 only and that too only for the specific domain. See the IAM policy example here - https://docs.cloudron.io/domains/#route53-dns

    P 1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    replied to girish on last edited by
    #3

    @girish unfortunately long lived keys wont work in my situation. Additionally, it is recommended by AWS to rotate them on a 90 day basis at a minimum.

    Any specific example so I can see how this object is to be constructed?

    thanks

    1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    wrote on last edited by
    #4

    My assumption is something along the lines of

    {
    "provider": "route53",
    "config": {"accessKeyId":"AKIAXXXXXXX", "secretAccessKey":"XXXXXXXXXXXXXX"},
    "wildcard": true,
    "zoneName": "my.zone.name",
    }
    
    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to prusaman on last edited by girish
    #5

    @prusaman something like this:

    {
        "domain":"domain.com",
        "zone": "domain.com",
        "provider":"route53",
        "config": {
            "accessKeyId":"AKIAxx",
            "secretAccessKey":"yy"
        },
        "tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }
    }
    
    P 1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    replied to girish on last edited by
    #6

    @girish awesome @girish - will give it a go. Thanks

    P 1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    replied to prusaman on last edited by
    #7

    @girish Im getting the following:

    curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

    <!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="utf-8">
    <title>Error</title>
    </head>
    <body>
    <pre>Cannot PUT /api/v1/domains/sub.domain.tld</pre>
    </body>
    </html>
    

    But I get the following with:

    curl -k -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' https://my.sub.domain.tld/api/v1/domains

    {
      "domains": [
        {
          "domain": "sub.domain.tld",
          "zoneName": "sub.domain.tld",
          "provider": "route53",
          "config": {}
        }
      ]
    }
    

    Any ideas? Im sure Im just not constructing the call correctly.

    girishG 2 Replies Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to prusaman on last edited by
    #8

    @prusaman Looks correct to me, but have you tried curl -X POST instead?

    P 1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    replied to girish on last edited by
    #9

    @girish Documentation specifies PUT but yeah, tried POST as well.

    <!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="utf-8">
    <title>Error</title>
    </head>
    <body>
    <pre>Cannot POST /api/v1/domains/sub.domain.tld</pre>
    </body>
    </html>
    
    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to prusaman on last edited by
    #10

    @prusaman said in Rotation of AWS IAM credentials:

    curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

    I got the path wrong. Send POST request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config. I double checked that it works.

    1 Reply Last reply
    0
  • girishG girish marked this topic as a question on
  • girishG girish has marked this topic as solved on
  • P Offline
    P Offline
    prusaman
    wrote on last edited by
    #11

    Getting:

    {
      "status": "Bad Request",
      "message": "Failed to parse body"
    }
    

    Same command as above, changed from PUT to POST and sending request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config

    Any ideas?

    1 Reply Last reply
    0
  • P Offline
    P Offline
    prusaman
    wrote on last edited by
    #12

    Ignore me. This was an issue with PowerShell apparently. If run from linux it works fine.

    Thanks again

    1 Reply Last reply
    1

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.