diff --git a/docs/api-types/issuer/spec.md b/docs/api-types/issuer/spec.md index aca8c6fb7..bd49fcf2a 100644 --- a/docs/api-types/issuer/spec.md +++ b/docs/api-types/issuer/spec.md @@ -125,8 +125,13 @@ clouddns: ```yaml route53: - accessKeyID: AKIAIOSFODNN7EXAMPLE region: eu-west-1 + + # optional -- if not specified, load credentials from from standard AWS + # environment variables or from EC2 instance metadata + accessKeyID: AKIAIOSFODNN7EXAMPLE + + # also optional secretAccessKeySecretRef: name: prod-route53-credentials-secret key: secret-access-key diff --git a/pkg/issuer/acme/dns/dns.go b/pkg/issuer/acme/dns/dns.go index 10a1ab573..fdc36c2f5 100644 --- a/pkg/issuer/acme/dns/dns.go +++ b/pkg/issuer/acme/dns/dns.go @@ -156,14 +156,18 @@ func (s *Solver) solverFor(crt *v1alpha1.Certificate, domain string) (solver, er return nil, fmt.Errorf("error instantiating cloudflare challenge solver: %s", err.Error()) } case providerConfig.Route53 != nil: - secretAccessKeySecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.Route53.SecretAccessKey.Name) - if err != nil { - return nil, fmt.Errorf("error getting route53 secret access key: %s", err.Error()) - } + secretAccessKey := "" + if providerConfig.Route53.SecretAccessKey.Name != "" { + secretAccessKeySecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.Route53.SecretAccessKey.Name) + if err != nil { + return nil, fmt.Errorf("error getting route53 secret access key: %s", err.Error()) + } - secretAccessKeyBytes, ok := secretAccessKeySecret.Data[providerConfig.Route53.SecretAccessKey.Key] - if !ok { - return nil, fmt.Errorf("error getting route53 secret access key: key '%s' not found in secret", providerConfig.Route53.SecretAccessKey.Key) + secretAccessKeyBytes, ok := secretAccessKeySecret.Data[providerConfig.Route53.SecretAccessKey.Key] + if !ok { + return nil, fmt.Errorf("error getting route53 secret access key: key '%s' not found in secret", providerConfig.Route53.SecretAccessKey.Key) + } + secretAccessKey = string(secretAccessKeyBytes) } impl, err = s.dnsProviderConstructors.route53( diff --git a/pkg/issuer/acme/dns/route53/route53.go b/pkg/issuer/acme/dns/route53/route53.go index 1aecb2552..2fa3dd2c5 100644 --- a/pkg/issuer/acme/dns/route53/route53.go +++ b/pkg/issuer/acme/dns/route53/route53.go @@ -83,13 +83,19 @@ func NewDNSProvider() (*DNSProvider, error) { // NewDNSProviderAccessKey returns a DNSProvider instance configured for the AWS // Route 53 service using static credentials from its parameters func NewDNSProviderAccessKey(accessKeyID, secretAccessKey, hostedZoneID, region string) (*DNSProvider, error) { - - creds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") - r := customRetryer{} r.NumMaxRetries = maxRetries - config := request.WithRetryer(aws.NewConfig(), r).WithCredentials(creds) + config := request.WithRetryer(aws.NewConfig(), r) + + // If an accessKeyID and secretAccessKey were set, use them. Otherwise, fall + // back on the aws-sdk-go's default credential handling behavior which loads + // from environment variables, shared credential file or EC2 instance role: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials. + if accessKeyID != "" && secretAccessKey != "" { + creds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") + config.WithCredentials(creds) + } if region != "" { config.WithRegion(region)