From faac0701ab8349f5a75b7be355850f2f519f0504 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Sat, 24 Mar 2018 14:05:08 -0700 Subject: [PATCH] issuer/route53: respect 'ambient' flag for region This notably results in the region being a required field if the 'ambient' option is not set for a given issuer. --- pkg/issuer/acme/dns/route53/route53.go | 13 +++++++++++-- pkg/issuer/acme/dns/route53/route53_test.go | 11 +++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/pkg/issuer/acme/dns/route53/route53.go b/pkg/issuer/acme/dns/route53/route53.go index 4b0be8152..5ac972017 100644 --- a/pkg/issuer/acme/dns/route53/route53.go +++ b/pkg/issuer/acme/dns/route53/route53.go @@ -70,6 +70,7 @@ func NewDNSProvider(accessKeyID, secretAccessKey, hostedZoneID, region string, a r := customRetryer{} r.NumMaxRetries = maxRetries config := request.WithRetryer(aws.NewConfig(), r) + sessionOpts := session.Options{} if useAmbientCredentials { glog.V(5).Infof("using ambient credentials") @@ -79,12 +80,20 @@ func NewDNSProvider(accessKeyID, secretAccessKey, hostedZoneID, region string, a } else { glog.V(5).Infof("not using ambient credentials") config.WithCredentials(credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")) + // also disable 'ambient' region sources + sessionOpts.SharedConfigState = session.SharedConfigDisable } - if region != "" { + // If ambient credentials aren't permitted, always set the region, even if to + // empty string, to avoid it falling back on the environment. + if region != "" || !useAmbientCredentials { config.WithRegion(region) } - client := route53.New(session.New(config)) + sess, err := session.NewSessionWithOptions(sessionOpts) + if err != nil { + return nil, fmt.Errorf("unable to create aws session: %s", err) + } + client := route53.New(sess, config) return &DNSProvider{ client: client, diff --git a/pkg/issuer/acme/dns/route53/route53_test.go b/pkg/issuer/acme/dns/route53/route53_test.go index fec83a7db..9e1e116a9 100644 --- a/pkg/issuer/acme/dns/route53/route53_test.go +++ b/pkg/issuer/acme/dns/route53/route53_test.go @@ -54,6 +54,7 @@ func TestAmbientCredentialsFromEnv(t *testing.T) { _, err = provider.client.Config.Credentials.Get() assert.NoError(t, err, "Expected credentials to be set from environment") + assert.Equal(t, provider.client.Config.Region, aws.String("us-east-1")) } func TestNoCredentialsFromEnv(t *testing.T) { @@ -76,6 +77,16 @@ func TestAmbientRegionFromEnv(t *testing.T) { assert.Equal(t, "us-east-1", *provider.client.Config.Region, "Expected Region to be set from environment") } +func TestNoRegionFromEnv(t *testing.T) { + os.Setenv("AWS_REGION", "us-east-1") + defer restoreRoute53Env() + + provider, err := NewDNSProvider("marx", "swordfish", "", "", false) + assert.NoError(t, err, "Expected no error constructing DNSProvider") + + assert.Equal(t, "", *provider.client.Config.Region, "Expected Region to not be set from environment") +} + func TestRoute53Present(t *testing.T) { mockResponses := MockResponseMap{ "/2013-04-01/hostedzonesbyname": MockResponse{StatusCode: 200, Body: ListHostedZonesByNameResponse},