acme.sh doesn't support STS:AssumeRole to modify DNS Route53 zone in another AWS account

[mimmus]

It's not possible to give acme.sh permissions to modify Route53 zone in another account for DNS verification on AWS. Usually, you can do this giving permissions to the EC2 instance role to do "STS:AssumeRole" in another account.

If acme.sh honored ~/.aws/config and ~/.aws/credentials, it would be easy (i.e. using Python/boto3 is almost transparent)..

[pcolmer]

@mimmus did you manage to find a solution to this? Maybe a different client?

I'm facing the exact same problem and I do not know how to move forwards with a solution.

[mimmus]

I wrapped acme.sh in a shell script doing all needed to assume a role in another account:

#!/bin/sh
##############################################################
# Bash wrapper to enable IAM Role authentication for acme.sh #
##############################################################
#
# Needed for cron
PATH=$PATH:/usr/local/bin/
HOME=/root
# Account/Role to modify ACME zone for DNS01 verification
AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxxxxx:role/dns-manager"
AWS_ROLE_NAME="dns-manager"
#---------------------------------------------------------

export AWS_STS_ASSUME_ROLE_OUTPUT="$(aws sts assume-role --role-arn $AWS_ROLE_ARN --role-session-name $AWS_ROLE_NAME)"

export AWS_ACCESS_KEY_ID="$(echo $AWS_STS_ASSUME_ROLE_OUTPUT | jq '.Credentials.AccessKeyId' -r)"
export AWS_SECRET_ACCESS_KEY="$(echo $AWS_STS_ASSUME_ROLE_OUTPUT | jq '.Credentials.SecretAccessKey' -r)"
export AWS_SESSION_TOKEN="$(echo $AWS_STS_ASSUME_ROLE_OUTPUT | jq '.Credentials.SessionToken' -r)"

/root/.acme.sh/acme.sh "$@"
##############################################################

Obviously, EC2 instance where this script is running has a role with needed permissions to assume remote role and it trusts this instance.

I don't know if something changed recently or if there is a better solution but this currently works.

Regards

[pcolmer]

Thanks, @mimmus, for sharing that.