website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon cert-manager

Route53: document use of "region" field

Open stephen-dexda opened this issue 6 years ago • 5 comments

The Route53 docs and API reference list a region field for the route53 solver, with the latter saying "Always set the region when using AccessKeyID and SecretAccessKey".

It's not clear what the value of this should correspond to, since IAM users and access keys are not associated with a region?

stephen-dexda avatar Dec 10 '19 17:12 stephen-dexda

Looking at the source, it's actually not needed if you are using ambient credentials, e.g. a Service Account with appropriate IAMs Role; it will happily take and ignore an empty string in this case, which should use the ambient credential's region anywhere that's needed.

However, the CRD rejects that, so I couldn't test that it actually works, or if AWS actually always requires an explicit region here for some reason.

TBBle avatar Apr 23 '20 10:04 TBBle

Looking at https://github.com/jetstack/cert-manager/pull/1917, it appears region's "requiredness" persisted from when the credentials were mandatory. That's probably what the comment meant?

TBBle avatar Apr 23 '20 10:04 TBBle

/priority important-longterm

irbekrm avatar Apr 15 '21 12:04 irbekrm

@stephen-dexda @TBBle Thanks for reporting and commenting on this. It's been a long time, but if either of you have time to improve the documentation, please create a PR and find me on #cert-manager-dev in Slack for code review.

wallrj avatar Feb 14 '23 09:02 wallrj

I'm not in a position to put up PRs, but I'll just highlight that although this bug was filed on the website repo, I think it's actually revealed a bug in the Issuer/ClusterIssuer CRDs themselves that the region field is required, which (if I understand my own earlier comment correctly) blocks the empty string value that the code is correctly set up to handle.

So right now, a documentation update would have to be "Region is required, and must be provided even if both accessKeyID and accessKeyIDSecretRef are not provided."

Per https://docs.aws.amazon.com/general/latest/gr/r53.html (to answer the original question) it apparently needs to be us-east-1 or in some cases cn-northwest-1. (It's been literally years and I'm no longer in that job so can't check, so perhaps it works no matter what region you specify, or perhaps I already used us-east-1 here but for unrelated reasons; I don't think I knew about this page before).

That AWS doc also suggests that leaving the region and endpoint empty in the request would be valid too, so perhaps that field should just be dropped entirely, unless there's a need for manually-specified region elsewhere in the Route53 DNS-01 implementation that I'm overlooking.

Edit: A quick poke in the cert-manager issue repo suggests people were using their own regions, and things were working, so I guess it's not required that the value be us-east-1. And https://github.com/cert-manager/cert-manager/issues/5455 suggests that the region does (or should) matter, so that the correct STS endpoint is used for the role-assuming when that issue is itself resolved.

TBBle avatar Feb 14 '23 11:02 TBBle

A beta-release is now available which contains the fix for this issue. Please test and feedback if you have time.

  • https://github.com/cert-manager/cert-manager/releases/tag/v1.16.0-beta.0

wallrj avatar Sep 26 '24 20:09 wallrj