Rotation of AWS IAM credentials

prusaman

Following the docs here, I have cloudron up and running with AWS route53 and all appears to be working fine. The problem comes every time I need to rotate my AWS IAM keys. Currently I am manually updating these credentials and saving them through the web UI.

Based on https://docs.cloudron.io/api.html#tag/Domains/paths/~1domains~1{domain}/put it appears that I can do this through the API, do you by change have an example of the Config parameter in use?

Im guessing the best approach to this would be to install the AWS cli on the cloudron server and call it via cron to execute the credential rotation and call the API to update the domain. Thoughts? I just want to make sure I am not missing an obvious configuration option you already have to handle such issues.

girish

@prusaman the config is an object with accessKeyId and secretAccessKey.

It might be easier to just create long(ish) keys which are scoped to just route53 only and that too only for the specific domain. See the IAM policy example here - https://docs.cloudron.io/domains/#route53-dns

prusaman

@girish unfortunately long lived keys wont work in my situation. Additionally, it is recommended by AWS to rotate them on a 90 day basis at a minimum.

Any specific example so I can see how this object is to be constructed?

thanks

prusaman

My assumption is something along the lines of

{
"provider": "route53",
"config": {"accessKeyId":"AKIAXXXXXXX", "secretAccessKey":"XXXXXXXXXXXXXX"},
"wildcard": true,
"zoneName": "my.zone.name",
}

girish

@prusaman something like this:

{
    "domain":"domain.com",
    "zone": "domain.com",
    "provider":"route53",
    "config": {
        "accessKeyId":"AKIAxx",
        "secretAccessKey":"yy"
    },
    "tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }
}

prusaman

@girish awesome @girish - will give it a go. Thanks

prusaman

@girish Im getting the following:

curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot PUT /api/v1/domains/sub.domain.tld</pre>
</body>
</html>

But I get the following with:

curl -k -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' https://my.sub.domain.tld/api/v1/domains

{
  "domains": [
    {
      "domain": "sub.domain.tld",
      "zoneName": "sub.domain.tld",
      "provider": "route53",
      "config": {}
    }
  ]
}

Any ideas? Im sure Im just not constructing the call correctly.

girish

@prusaman Looks correct to me, but have you tried curl -X POST instead?

prusaman

@girish Documentation specifies PUT but yeah, tried POST as well.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /api/v1/domains/sub.domain.tld</pre>
</body>
</html>

girish

@prusaman said in Rotation of AWS IAM credentials:

curl -k -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer APIKEYHERE' --data '{"domain":"sub.domain.tld","zone": "sub.domain.tld","provider":"route53","config": {"accessKeyId":"AKIA","secretAccessKey":"XXXXX"},"tlsConfig":{ "provider":"letsencrypt-prod","wildcard":true }}' https://my.sub.domain.tld/api/v1/domains/sub.domain.tld

I got the path wrong. Send POST request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config. I double checked that it works.

prusaman

Getting:

{
  "status": "Bad Request",
  "message": "Failed to parse body"
}

Same command as above, changed from PUT to POST and sending request to https://my.sub.domain.tld/api/v1/domains/sub.domain.tld/config

Any ideas?

prusaman

Ignore me. This was an issue with PowerShell apparently. If run from linux it works fine.

Thanks again