4 #AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
6 #AWS_SECRET_ACCESS_KEY="xxxxxxx"
8 #This is the Amazon Route53 api wrapper for acme.sh
10 AWS_HOST
="route53.amazonaws.com"
11 AWS_URL
="https://$AWS_HOST"
13 AWS_WIKI
="https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API"
15 ######## Public functions #####################
17 #Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
22 AWS_ACCESS_KEY_ID
="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
23 AWS_SECRET_ACCESS_KEY
="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
25 if [ -z "$AWS_ACCESS_KEY_ID" ] ||
[ -z "$AWS_SECRET_ACCESS_KEY" ]; then
26 _use_container_role || _use_instance_role
29 if [ -z "$AWS_ACCESS_KEY_ID" ] ||
[ -z "$AWS_SECRET_ACCESS_KEY" ]; then
31 AWS_SECRET_ACCESS_KEY
=""
32 _err
"You haven't specifed the aws route53 api key id and and api key secret yet."
33 _err
"Please create your key and try again. see $(__green $AWS_WIKI)"
37 #save for future use, unless using a role which will be fetched as needed
38 if [ -z "$_using_role" ]; then
39 _saveaccountconf_mutable AWS_ACCESS_KEY_ID
"$AWS_ACCESS_KEY_ID"
40 _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY
"$AWS_SECRET_ACCESS_KEY"
43 _debug
"First detect the root zone"
44 if ! _get_root
"$fulldomain"; then
48 _debug _domain_id
"$_domain_id"
49 _debug _sub_domain
"$_sub_domain"
50 _debug _domain
"$_domain"
52 _info
"Getting existing records for $fulldomain"
53 if ! aws_rest GET
"2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
57 if _contains
"$response" "<Name>$fulldomain.</Name>"; then
58 _resource_record
="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g
' | tr '"' "\n" | grep "<Name
>$fulldomain.
</Name
>" | _egrep_o "<ResourceRecords.
*</ResourceRecords
>" | sed "s
/<ResourceRecords
>//" | sed "s
#</ResourceRecords>##")"
59 _debug
"_resource_record" "$_resource_record"
61 _debug
"single new add"
64 if [ "$_resource_record" ] && _contains
"$response" "$txtvalue"; then
65 _info
"The TXT record already exists. Skipping."
69 _debug
"Adding records"
71 _aws_tmpl_xml
="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
73 if aws_rest POST
"2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains
"$response" "ChangeResourceRecordSetsResponse"; then
74 _info
"TXT record updated successfully."
86 AWS_ACCESS_KEY_ID
="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
87 AWS_SECRET_ACCESS_KEY
="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
89 if [ -z "$AWS_ACCESS_KEY_ID" ] ||
[ -z "$AWS_SECRET_ACCESS_KEY" ]; then
90 _use_container_role || _use_instance_role
93 _debug
"First detect the root zone"
94 if ! _get_root
"$fulldomain"; then
98 _debug _domain_id
"$_domain_id"
99 _debug _sub_domain
"$_sub_domain"
100 _debug _domain
"$_domain"
102 _info
"Getting existing records for $fulldomain"
103 if ! aws_rest GET
"2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
107 if _contains
"$response" "<Name>$fulldomain.</Name>"; then
108 _resource_record
="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g
' | tr '"' "\n" | grep "<Name
>$fulldomain.
</Name
>" | _egrep_o "<ResourceRecords.
*</ResourceRecords
>" | sed "s
/<ResourceRecords
>//" | sed "s
#</ResourceRecords>##")"
109 _debug
"_resource_record" "$_resource_record"
111 _debug
"no records exist, skip"
115 _aws_tmpl_xml
="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
117 if aws_rest POST
"2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains
"$response" "ChangeResourceRecordSetsResponse"; then
118 _info
"TXT record deleted successfully."
126 #################### Private functions below ##################################
133 if aws_rest GET
"2013-04-01/hostedzone"; then
135 h
=$
(printf "%s" "$domain" | cut
-d .
-f $i-100)
136 _debug2
"Checking domain: $h"
138 if _contains
"$response" "<IsTruncated>true</IsTruncated>" && _contains
"$response" "<NextMarker>"; then
140 _nextMarker
="$(echo "$response" | _egrep_o "<NextMarker
>.
*</NextMarker
>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
141 _debug
"NextMarker" "$_nextMarker"
142 if aws_rest GET
"2013-04-01/hostedzone" "marker=$_nextMarker"; then
143 _debug
"Truncated request OK"
148 _err
"Truncated request error."
152 _err
"Invalid domain"
156 if _contains
"$response" "<Name>$h.</Name>"; then
157 hostedzone
="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone
><Id
>[^
<]*<.Id
><Name
>$h.
<.Name
>.
*<PrivateZone
>false
<.PrivateZone
>.
*<.HostedZone
>")"
158 _debug hostedzone
"$hostedzone"
159 if [ "$hostedzone" ]; then
160 _domain_id
=$
(printf "%s\n" "$hostedzone" | _egrep_o
"<Id>.*<.Id>" |
head -n 1 | _egrep_o
">.*<" |
tr -d "<>")
161 if [ "$_domain_id" ]; then
162 _sub_domain
=$
(printf "%s" "$domain" | cut
-d .
-f 1-$p)
166 _err
"Can't find domain with id: $h"
177 _use_container_role
() {
178 # automatically set if running inside ECS
179 if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
180 _debug
"No ECS environment variable detected"
183 _use_metadata
"169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
186 _use_instance_role
() {
187 _url
="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
188 _debug
"_url" "$_url"
189 if ! _get
"$_url" true
1 | _head_n
1 |
grep -Fq 200; then
190 _debug
"Unable to fetch IAM role from instance metadata"
193 _aws_role
=$
(_get
"$_url" "" 1)
194 _debug
"_aws_role" "$_aws_role"
195 _use_metadata
"$_url$_aws_role"
203 | while read -r _line; do
204 _key="$
(echo "${_line%%:*}" |
tr -d '"')"
206 _debug3 "_key
" "$_key"
207 _secure_debug3 "_value
" "$_value"
209 AccessKeyId) echo "AWS_ACCESS_KEY_ID
=$_value" ;;
210 SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY
=$_value" ;;
211 Token) echo "AWS_SESSION_TOKEN
=$_value" ;;
216 _secure_debug
"_aws_creds" "$_aws_creds"
218 if [ -z "$_aws_creds" ]; then
226 #method uri qstr data
239 _debug2 CanonicalURI
"$CanonicalURI"
241 CanonicalQueryString
="$qsr"
242 _debug2 CanonicalQueryString
"$CanonicalQueryString"
244 RequestDate
="$(date -u +"%Y
%m
%dT
%H
%M
%SZ
")"
245 _debug2 RequestDate
"$RequestDate"
247 #RequestDate="20161120T141056Z" ##############
249 export _H1
="x-amz-date: $RequestDate"
252 CanonicalHeaders
="host:$aws_host\nx-amz-date:$RequestDate\n"
253 SignedHeaders
="host;x-amz-date"
254 if [ -n "$AWS_SESSION_TOKEN" ]; then
255 export _H3
="x-amz-security-token: $AWS_SESSION_TOKEN"
256 CanonicalHeaders
="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
257 SignedHeaders
="${SignedHeaders};x-amz-security-token"
259 _debug2 CanonicalHeaders
"$CanonicalHeaders"
260 _debug2 SignedHeaders
"$SignedHeaders"
262 RequestPayload
="$data"
263 _debug2 RequestPayload
"$RequestPayload"
267 CanonicalRequest
="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s
" "$RequestPayload" | _digest "$Hash" hex)"
268 _debug2 CanonicalRequest
"$CanonicalRequest"
270 HashedCanonicalRequest
="$(printf "$CanonicalRequest%s
" | _digest "$Hash" hex)"
271 _debug2 HashedCanonicalRequest
"$HashedCanonicalRequest"
273 Algorithm
="AWS4-HMAC-SHA256"
274 _debug2 Algorithm
"$Algorithm"
276 RequestDateOnly
="$(echo "$RequestDate" | cut -c 1-8)"
277 _debug2 RequestDateOnly
"$RequestDateOnly"
282 CredentialScope
="$RequestDateOnly/$Region/$Service/aws4_request"
283 _debug2 CredentialScope
"$CredentialScope"
285 StringToSign
="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
287 _debug2 StringToSign
"$StringToSign"
289 kSecret
="AWS4$AWS_SECRET_ACCESS_KEY"
291 #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
293 _secure_debug2 kSecret
"$kSecret"
295 kSecretH
="$(printf "%s
" "$kSecret" | _hex_dump | tr -d " ")"
296 _secure_debug2 kSecretH
"$kSecretH"
298 kDateH
="$(printf "$RequestDateOnly%s
" | _hmac "$Hash" "$kSecretH" hex)"
299 _debug2 kDateH
"$kDateH"
301 kRegionH
="$(printf "$Region%s
" | _hmac "$Hash" "$kDateH" hex)"
302 _debug2 kRegionH
"$kRegionH"
304 kServiceH
="$(printf "$Service%s
" | _hmac "$Hash" "$kRegionH" hex)"
305 _debug2 kServiceH
"$kServiceH"
307 kSigningH
="$(printf "%s
" "aws4_request
" | _hmac "$Hash" "$kServiceH" hex)"
308 _debug2 kSigningH
"$kSigningH"
310 signature
="$(printf "$StringToSign%s
" | _hmac "$Hash" "$kSigningH" hex)"
311 _debug2 signature
"$signature"
313 Authorization
="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
314 _debug2 Authorization
"$Authorization"
316 _H2
="Authorization: $Authorization"
321 url
="$AWS_URL/$ep?$qsr"
324 if [ "$mtd" = "GET" ]; then
325 response
="$(_get "$url")"
327 response
="$(_post "$data" "$url")"
331 _debug2 response
"$response"
332 if [ "$_ret" = "0" ]; then
333 if _contains
"$response" "<ErrorResponse"; then
334 _err
"Response error:$response"