Added support for a separate AWS account for Route53.

README.md

@@ -62,7 +62,8 @@ environment variable. This should be a JSON object with the following schema:
                 "port": "optional, defaults to 443 (integer)"
             },
             "hosts": ["list of hosts you want on the certificate (strings)"],
-            "key_type": "rsa or ecdsa, optional, defaults to rsa (string)"
+            "key_type": "rsa or ecdsa, optional, defaults to rsa (string)",
+            "route53_type": "route53"
         }
     ],
     "acme_account_key": "location of the account private key (string)",
@@ -76,6 +77,11 @@ To specify a local file you provide `"file:///path/to/key.pem"` (on Windows use
 `"s3://bucket-name/object-name"`. The key should be a PEM formatted RSA private
 key.
 
+The `route53_type` should either be empty (to use the default AWS credentials) or
+set to `"route53"`, which means that the credentials used for route53 only are 
+drawn from the environment variable `AWS_ROUTE53_CREDENTIALS_FILE` instead of 
+`AWS_SHARED_CREDENTIALS_FILE` (which is still used for the rest).  
+
 Then you can simply run it: `python letsencrypt-aws.py update-certificates`.
 
 If you add the `--persistent` flag it will run forever, rather than just once,

letsencrypt-aws.py

@@ -489,12 +489,11 @@ def update_certificates(persistent=False, force_issue=False):
     if persistent and force_issue:
         raise ValueError("Can't specify both --persistent and --force-issue")
 
+    # Set up basic session, in case credentials are stored in S3
     session = boto3.Session()
     s3_client = session.client("s3")
-    elb_client = session.client("elb")
-    route53_client = session.client("route53")
-    iam_client = session.client("iam")
 
+    # Collect various config stuff
     config = json.loads(os.environ["LETSENCRYPT_AWS_CONFIG"])
     domains = config["domains"]
     acme_directory_url = config.get(
@@ -505,6 +504,25 @@ def update_certificates(persistent=False, force_issue=False):
         s3_client, acme_directory_url, acme_account_key
     )
 
+    # Find appropriate credentials
+    creds_default = os.environ["AWS_SHARED_CREDENTIALS_FILE"]
+    try:
+        creds_route53 = os.environ["AWS_ROUTE53_CREDENTIALS_FILE"]
+    except KeyError:
+        creds_route53 = ''
+
+    # Set up other clients
+    elb_client = session.client("elb")
+    iam_client = session.client("iam")
+
+    # Set up route53 clients
+    route53_client_basic = session.client("route53")
+    if creds_route53:
+        os.environ["AWS_SHARED_CREDENTIALS_FILE"] = creds_route53
+        route53_session = boto3.Session()
+        route53_client_other = route53_session.client("route53")
+        os.environ["AWS_SHARED_CREDENTIALS_FILE"] = creds_default
+
     certificate_requests = []
     for domain in domains:
         if "elb" in domain:
@@ -517,6 +535,16 @@ def update_certificates(persistent=False, force_issue=False):
                 "Unknown certificate location: {!r}".format(domain)
             )
 
+        try:
+            if domain["Route53Type"] == 'route53':
+                if not route53_client_other:
+                    raise ValueError("Error: route53 creds requested, but not found")
+                route53_client = route53_client_other
+            else:
+                route53_client = route53_client_basic
+        except KeyError:
+            route53_client = route53_client_basic
+
         certificate_requests.append(CertificateRequest(
             cert_location,
             Route53ChallengeCompleter(route53_client),