diff options
| author |  Yong Tang <yong.tang.github@outlook.com>
| 2022-03-11 11:32:44 -0800 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-03-11 11:32:44 -0800 |
| commit | 6bb2db758fd83187bf44582ae15ea923a1e02df4 (patch) | |
| tree | 6308048274562a0d7708656ff04cc9e3d6f2860b | |
| parent | 4b597f8308d8d7cecb538e9831d77117da68c04e (diff) | |
| download | coredns-6bb2db758fd83187bf44582ae15ea923a1e02df4.tar.gz coredns-6bb2db758fd83187bf44582ae15ea923a1e02df4.tar.zst coredns-6bb2db758fd83187bf44582ae15ea923a1e02df4.zip | |
[plugin/route53] Deprecate plaintext secret in Corefile for route53 plugin (#5228)
This PR deprecates plaintext secret in Corefile for route53 plugin (`aws_access_key`).
Since using environmental variables of `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
have already been available, no other changes other than deprecation is needed.
This will avoid saving plaintext secret in Corefile which could be
of security concern.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
| -rw-r--r-- | plugin/route53/README.md | 15 | ||||
| -rw-r--r-- | plugin/route53/setup.go | 1 |
2 files changed, 14 insertions, 2 deletions
diff --git a/plugin/route53/README.md b/plugin/route53/README.md index 9dd6f49a1..d9efa8cc2 100644 --- a/plugin/route53/README.md +++ b/plugin/route53/README.md @@ -15,7 +15,7 @@ The route53 plugin can be used when coredns is deployed on AWS or elsewhere. ~~~ txt route53 [ZONE:HOSTED_ZONE_ID...] { - aws_access_key [AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY] + aws_access_key [AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY] # Deprecated, uses other authentication methods instead. aws_endpoint ENDPOINT credentials PROFILE [FILENAME] fallthrough [ZONES...] @@ -34,6 +34,9 @@ route53 [ZONE:HOSTED_ZONE_ID...] { to be used when query AWS (optional). If they are not provided, then coredns tries to access AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file, instance profile credentials, etc. + Note the usage of `aws_access_key` has been deprecated and may be removed in future versions. Instead, + user can use other methods to pass crentials, e.g., with environmental variable `AWS_ACCESS_KEY_ID` and + `AWS_SECRET_ACCESS_KEY`, respectively. * `aws_endpoint` can be used to control the endpoint to use when querying AWS (optional). **ENDPOINT** is the URL of the endpoint to use. If this is not provided the default AWS endpoint resolution will occur. @@ -74,7 +77,7 @@ Enable route53 with explicit AWS credentials: ~~~ txt example.org { route53 example.org.:Z1Z2Z3Z4DZ5Z6Z7 { - aws_access_key AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + aws_access_key AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY # Deprecated, uses other authentication methods instead. } } ~~~ @@ -115,3 +118,11 @@ example.org { } } ~~~ + +## Authentication + +Route53 plugin uses [AWS Go SDK](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html) +for authentication, where there is a list of accepted configuration methods. +Note the usage of `aws_access_key` in Corefile has been deprecated and may be removed in future versions. Instead, +user can use other methods to pass crentials, e.g., with environmental variable `AWS_ACCESS_KEY_ID` and +`AWS_SECRET_ACCESS_KEY`, respectively. diff --git a/plugin/route53/setup.go b/plugin/route53/setup.go index ec775680c..31176039a 100644 --- a/plugin/route53/setup.go +++ b/plugin/route53/setup.go @@ -80,6 +80,7 @@ func setup(c *caddy.Controller) error { SecretAccessKey: v[1], }, }) + log.Warningf("Save aws_access_key in Corefile has been deprecated, please use other authentication methods instead") case "aws_endpoint": if c.NextArg() { endpoint = c.Val() |