Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Rotation of AWS IAM credentials

    Support
    aws route53 domains api
    2
    12
    123
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prusaman last edited by girish

      Following the docs here, I have cloudron up and running with AWS route53 and all appears to be working fine. The problem comes every time I need to rotate my AWS IAM keys. Currently I am manually updating these credentials and saving them through the web UI.

      Based on https://docs.cloudron.io/api.html#tag/Domains/paths/~1domains~1{domain}/put it appears that I can do this through the API, do you by change have an example of the Config parameter in use?

      Im guessing the best approach to this would be to install the AWS cli on the cloudron server and call it via cron to execute the credential rotation and call the API to update the domain. Thoughts? I just want to make sure I am not missing an obvious configuration option you already have to handle such issues.

      girish 1 Reply Last reply Reply Quote 1
      • girish
        girish Staff @prusaman last edited by

        @prusaman the config is an object with accessKeyId and secretAccessKey.

        It might be easier to just create long(ish) keys which are scoped to just route53 only and that too only for the specific domain. See the IAM policy example here - https://docs.cloudron.io/domains/#route53-dns

        P 1 Reply Last reply Reply Quote 0
        • P
          prusaman @girish last edited by

          @girish unfortunately long lived keys wont work in my situation. Additionally, it is recommended by AWS to rotate them on a 90 day basis at a minimum.

          Any specific example so I can see how this object is to be constructed?

          thanks

          1 Reply Last reply Reply Quote 0
          • P
            prusaman last edited by

            My assumption is something along the lines of

            {
            "provider": "route53",
            "config": {"accessKeyId":"AKIAXXXXXXX", "secretAccessKey":"XXXXXXXXXXXXXX"},
            "wildcard": true,
            "zoneName": "my.zone.name",
            }
            
            girish 1 Reply Last reply Reply Quote 0
            • girish
              girish Staff @prusaman last edited by girish

              @prusaman something like this:

              {
                  "domain":"domain.com",
                  "zone": "domain.com",
                  "provider":"route53",
                  "config": {
                      "accessKeyId":"AKIAxx",
                      "secretAccessKey":"yy"
                  },
                  "tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }
              }
              
              P 1 Reply Last reply Reply Quote 0
              • P
                prusaman @girish last edited by

                @girish awesome @girish - will give it a go. Thanks

                P 1 Reply Last reply Reply Quote 0
                • P
                  prusaman @prusaman last edited by

                  @girish Im getting the following:

                  curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

                  <!DOCTYPE html>
                  <html lang="en">
                  <head>
                  <meta charset="utf-8">
                  <title>Error</title>
                  </head>
                  <body>
                  <pre>Cannot PUT /api/v1/domains/sub.domain.tld</pre>
                  </body>
                  </html>
                  

                  But I get the following with:

                  curl -k -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' https://my.sub.domain.tld/api/v1/domains

                  {
                    "domains": [
                      {
                        "domain": "sub.domain.tld",
                        "zoneName": "sub.domain.tld",
                        "provider": "route53",
                        "config": {}
                      }
                    ]
                  }
                  

                  Any ideas? Im sure Im just not constructing the call correctly.

                  girish 2 Replies Last reply Reply Quote 0
                  • girish
                    girish Staff @prusaman last edited by

                    @prusaman Looks correct to me, but have you tried curl -X POST instead?

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      prusaman @girish last edited by

                      @girish Documentation specifies PUT but yeah, tried POST as well.

                      <!DOCTYPE html>
                      <html lang="en">
                      <head>
                      <meta charset="utf-8">
                      <title>Error</title>
                      </head>
                      <body>
                      <pre>Cannot POST /api/v1/domains/sub.domain.tld</pre>
                      </body>
                      </html>
                      
                      1 Reply Last reply Reply Quote 0
                      • girish
                        girish Staff @prusaman last edited by

                        @prusaman said in Rotation of AWS IAM credentials:

                        curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

                        I got the path wrong. Send POST request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config. I double checked that it works.

                        1 Reply Last reply Reply Quote 0
                        • Topic has been marked as a question  girish girish 
                        • Topic has been marked as solved  girish girish 
                        • P
                          prusaman last edited by

                          Getting:

                          {
                            "status": "Bad Request",
                            "message": "Failed to parse body"
                          }
                          

                          Same command as above, changed from PUT to POST and sending request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config

                          Any ideas?

                          1 Reply Last reply Reply Quote 0
                          • P
                            prusaman last edited by

                            Ignore me. This was an issue with PowerShell apparently. If run from linux it works fine.

                            Thanks again

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Powered by NodeBB