Solved Rotation of AWS IAM credentials
-
Following the docs here, I have cloudron up and running with AWS route53 and all appears to be working fine. The problem comes every time I need to rotate my AWS IAM keys. Currently I am manually updating these credentials and saving them through the web UI.
Based on https://docs.cloudron.io/api.html#tag/Domains/paths/~1domains~1{domain}/put it appears that I can do this through the API, do you by change have an example of the Config parameter in use?
Im guessing the best approach to this would be to install the AWS cli on the cloudron server and call it via cron to execute the credential rotation and call the API to update the domain. Thoughts? I just want to make sure I am not missing an obvious configuration option you already have to handle such issues.
-
@prusaman the
config
is an object withaccessKeyId
andsecretAccessKey
.It might be easier to just create long(ish) keys which are scoped to just route53 only and that too only for the specific domain. See the IAM policy example here - https://docs.cloudron.io/domains/#route53-dns
-
@girish unfortunately long lived keys wont work in my situation. Additionally, it is recommended by AWS to rotate them on a 90 day basis at a minimum.
Any specific example so I can see how this object is to be constructed?
thanks
-
My assumption is something along the lines of
{ "provider": "route53", "config": {"accessKeyId":"AKIAXXXXXXX", "secretAccessKey":"XXXXXXXXXXXXXX"}, "wildcard": true, "zoneName": "my.zone.name", }
-
@prusaman something like this:
{ "domain":"domain.com", "zone": "domain.com", "provider":"route53", "config": { "accessKeyId":"AKIAxx", "secretAccessKey":"yy" }, "tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true } }
-
-
@girish Im getting the following:
curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Error</title> </head> <body> <pre>Cannot PUT /api/v1/domains/sub.domain.tld</pre> </body> </html>
But I get the following with:
curl -k -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' https://my.sub.domain.tld/api/v1/domains
{ "domains": [ { "domain": "sub.domain.tld", "zoneName": "sub.domain.tld", "provider": "route53", "config": {} } ] }
Any ideas? Im sure Im just not constructing the call correctly.
-
@prusaman Looks correct to me, but have you tried
curl -X POST
instead? -
@girish Documentation specifies PUT but yeah, tried POST as well.
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Error</title> </head> <body> <pre>Cannot POST /api/v1/domains/sub.domain.tld</pre> </body> </html>
-
@prusaman said in Rotation of AWS IAM credentials:
curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld
I got the path wrong. Send POST request to
https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config
. I double checked that it works. -
girish
-
girish
-
Getting:
{ "status": "Bad Request", "message": "Failed to parse body" }
Same command as above, changed from PUT to POST and sending request to
https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config
Any ideas?
-
Ignore me. This was an issue with PowerShell apparently. If run from linux it works fine.
Thanks again