changes from PR feedback: refactored to build config file rather than mount one in

Author: wwwehr

custom-domain/dstack-ingress/DNS_PROVIDERS.md

@@ -78,7 +78,10 @@ NAMECHEAP_CLIENT_IP=your-client-ip
 
 ```bash
 DNS_PROVIDER=route53
-AWS_PROFILE=your-injected-aws-profile
+AWS_ACCESS_KEY_ID=service-account-key-that-can-assume-role
+AWS_SECRET_ACCESS_KEY=service-account-secret-that-can-assume-role
+AWS_ROLE_ARN=role-that-can-mod-route53
+AWS_REGION=your-closest-region
 ```
 
 **Required Permissions:**
@@ -103,7 +106,7 @@ PolicyDocument:
 **Important Notes for Route53:**
 - The certbot plugin uses the format `certbot-dns-route53` package
 - CAA will merge AWS & Let's Encrypt CA domains to existing records if they exist
-- It is recommended that the AWS service account can only assume the limited role. See cloudformation example.
+- It is essential that the AWS service account used can only assume the limited role. See cloudformation example.
 
 ## Docker Compose Examples
 
@@ -171,37 +174,20 @@ services:
     - cert-data:/etc/letsencrypt
     ports:
     - 443:443
-    configs:
-      - source: aws_config
-        target: /root/.aws/config
-        mode: 0600
-      - source: aws_credentials
-        target: /root/.aws/credentials
-        mode: 0600
     environment:
       DNS_PROVIDER: route53
       DOMAIN: app.example.com
       GATEWAY_DOMAIN: _.${DSTACK_GATEWAY_DOMAIN}
 
+      AWS_REGION: ${AWS_REGION}
+      AWS_ROLE_ARN: ${AWS_ROLE_ARN}
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+
       CERTBOT_EMAIL: ${CERTBOT_EMAIL}
       TARGET_ENDPOINT: http://backend:8080
-
-      AWS_PROFILE: certbot
       SET_CAA: 'true'
 
-configs:
-  aws_config:
-    content: |
-      [profile certbot]
-      role_arn=${ROUTE53_AWS_ROLE_ARN}
-      source_profile=certbot-source
-      region=${AWS_REGION}
-
-  aws_credentials:
-    content: |
-      [certbot-source]
-      aws_access_key_id=${ROUTE53_AWS_ACCESS_KEY_ID}
-      aws_secret_access_key=${ROUTE53_AWS_SECRET_ACCESS_KEY}
 ```
 
 ## Migration from Cloudflare-only Setup

custom-domain/dstack-ingress/scripts/certman.py

@@ -291,7 +291,7 @@ def _build_certbot_command(self, action: str, domain: str, email: str) -> List[s
         if os.environ.get("CERTBOT_STAGING", "false") == "true":
             base_cmd.extend(["--staging"])
 
-        if getattr(self.provider, 'CERTBOT_PROPAGATION_SECONDS') and self.provider.CERTBOT_PROPAGATION_SECONDS is not None:
+        if getattr(self.provider, 'CERTBOT_PROPAGATION_SECONDS'):
             propagation_seconds = self.provider.CERTBOT_PROPAGATION_SECONDS
             propagation_param = f"--dns-{self.provider_type}-propagation-seconds={propagation_seconds}"
             base_cmd.extend([propagation_param])

custom-domain/dstack-ingress/scripts/dns_providers/route53.py

@@ -25,6 +25,7 @@ class Route53DNSProvider(DNSProvider):
     CERTBOT_PACKAGE = "certbot-dns-route53==5.1.0"
     CERTBOT_PROPAGATION_SECONDS = None
     AWS_CREDENTIALS_FILE = "~/.aws/credentials"
+    AWS_CONFIG_FILE = "~/.aws/config"
 
     def __init__(self):
         super().__init__()
@@ -40,10 +41,6 @@ def __init__(self):
                 "Install with: pip install boto3"
             )
 
-        # Initialize Route53 client
-        # boto3 automatically uses environment variables:
-        # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN (optional)
-        # It also supports IAM roles when running on AWS infrastructure
         try:
             self.client = self.boto3.client("route53")
         except Exception as e:
@@ -55,12 +52,14 @@ def __init__(self):
     def setup_certbot_credentials(self) -> bool:
         """Setup AWS credentials file for certbot.
 
-        certbot-dns-route53 uses standard AWS credentials from:
-        1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
-        2. ~/.aws/credentials file
-        3. IAM roles (when running on AWS)
+        This container will be provided with aws credentials purely for the purpose
+        of assuming a role. Doing so will enable the boto platform to provision
+        temporary access key and secret keys on demand!
 
-        If credentials are in environment variables, we'll create the credentials file.
+        Using this strategy we can impose least permissive and fast expiring access
+        to our domain.
+
+        Credentials are in environment variables, we'll create the credentials file.
         """
         aws_access_key = os.getenv("AWS_ACCESS_KEY_ID")
         aws_secret_key = os.getenv("AWS_SECRET_ACCESS_KEY")
@@ -71,31 +70,45 @@ def setup_certbot_credentials(self) -> bool:
             return True
 
         credentials_file = os.path.expanduser(self.AWS_CREDENTIALS_FILE)
+        config_file = os.path.expanduser(self.AWS_CONFIG_FILE)
+
+        aws_role_arn = os.getenv('AWS_ROLE_ARN')
+        aws_region = os.getenv('AWS_REGION', 'us-east-1')
+
         credentials_dir = os.path.dirname(credentials_file)
 
         try:
             # Create credentials directory
             os.makedirs(credentials_dir, exist_ok=True)
 
-            # Check if credentials file already exists
             if os.path.exists(credentials_file):
                 print(f"AWS credentials file already exists: {credentials_file}")
-                return True
 
-            # Write credentials file in AWS INI format
-            with open(credentials_file, "w") as f:
-                f.write("[default]\n")
-                f.write(f"aws_access_key_id = {aws_access_key}\n")
-                f.write(f"aws_secret_access_key = {aws_secret_key}\n")
+            else:
+                # Write credentials file in AWS INI format
+                with open(credentials_file, "w") as f:
+                    f.write("[certbot-source]\n")
+                    f.write(f"aws_access_key_id = {aws_access_key}\n")
+                    f.write(f"aws_secret_access_key = {aws_secret_key}\n")
+
+                # Set secure permissions
+                os.chmod(credentials_file, 0o600)
+                print(f"AWS credentials file created: {credentials_file}")
 
-                # Add session token if available
-                aws_session_token = os.getenv("AWS_SESSION_TOKEN")
-                if aws_session_token:
-                    f.write(f"aws_session_token = {aws_session_token}\n")
+            if os.path.exists(credentials_file):
+                print(f"AWS config file already exists: {config_file}")
 
-            # Set secure permissions
-            os.chmod(credentials_file, 0o600)
-            print(f"AWS credentials file created: {credentials_file}")
+            else:
+                # Write config file in AWS INI format
+                with open(config_file, "w") as f:
+                    f.write("[profile certbot]\n")
+                    f.write(f"role_arn={aws_role_arn}\n")
+                    f.write("source_profile=certbot-source\n")
+                    f.write(f"region={aws_region}\n")
+
+                # Set secure permissions
+                os.chmod(credentials_file, 0o600)
+                print(f"AWS config file created: {config_file}")
 
             # Pre-fetch hosted zone ID if we have a domain
             domain = os.getenv("DOMAIN")