Rotation of AWS IAM credentials

girish

@prusaman the config is an object with accessKeyId and secretAccessKey.

It might be easier to just create long(ish) keys which are scoped to just route53 only and that too only for the specific domain. See the IAM policy example here - https://docs.cloudron.io/domains/#route53-dns

prusaman

@girish unfortunately long lived keys wont work in my situation. Additionally, it is recommended by AWS to rotate them on a 90 day basis at a minimum.

Any specific example so I can see how this object is to be constructed?

thanks

prusaman

My assumption is something along the lines of

{
"provider": "route53",
"config": {"accessKeyId":"AKIAXXXXXXX", "secretAccessKey":"XXXXXXXXXXXXXX"},
"wildcard": true,
"zoneName": "my.zone.name",
}

girish

@prusaman something like this:

{
    "domain":"domain.com",
    "zone": "domain.com",
    "provider":"route53",
    "config": {
        "accessKeyId":"AKIAxx",
        "secretAccessKey":"yy"
    },
    "tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }
}

prusaman

@girish awesome @girish - will give it a go. Thanks

prusaman

@girish Im getting the following:

curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot PUT /api/v1/domains/sub.domain.tld</pre>
</body>
</html>

But I get the following with:

curl -k -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' https://my.sub.domain.tld/api/v1/domains

{
  "domains": [
    {
      "domain": "sub.domain.tld",
      "zoneName": "sub.domain.tld",
      "provider": "route53",
      "config": {}
    }
  ]
}

Any ideas? Im sure Im just not constructing the call correctly.

girish

@prusaman Looks correct to me, but have you tried curl -X POST instead?

prusaman

@girish Documentation specifies PUT but yeah, tried POST as well.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /api/v1/domains/sub.domain.tld</pre>
</body>
</html>

girish

@prusaman said in Rotation of AWS IAM credentials:

curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

I got the path wrong. Send POST request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config. I double checked that it works.

prusaman

Getting:

{
  "status": "Bad Request",
  "message": "Failed to parse body"
}

Same command as above, changed from PUT to POST and sending request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config

Any ideas?

prusaman

Ignore me. This was an issue with PowerShell apparently. If run from linux it works fine.

Thanks again