-
Notifications
You must be signed in to change notification settings - Fork 2
/
route53.sh
executable file
·102 lines (84 loc) · 3.11 KB
/
route53.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/bash
# route53.sh
# Copyright (C) 2017 by Yuval Adam
# All rights reserved
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -euo pipefail
IFS=$'\n\t'
ENDPOINT="route53.amazonaws.com"
RECORD_TTL=300
#RECORD_NAME=""
RECORD_TYPE="A"
#RECORD_VALUE=""
#HOSTED_ZONE_ID=""
API_PATH="/2013-04-01/hostedzone/${HOSTED_ZONE_ID}/rrset/"
# AWS_ACCESS_KEY_ID=''
# AWS_SECRET_ACCESS_KEY=''
AWS_REGION='us-east-1'
AWS_SERVICE='route53'
hash() {
msg=$1
echo -en "$msg" | openssl dgst -sha256 | sed 's/^.* //'
}
sign_plain() {
# Sign message using a plaintext key
key=$1
msg=$2
echo -en "$msg" | openssl dgst -hex -sha256 -hmac "$key" | sed 's/^.* //'
}
sign() {
# Sign message using a hex formatted key
key=$1
msg=$2
echo -en "$msg" | openssl dgst -hex -sha256 -mac HMAC -macopt "hexkey:${key}" | sed 's/^.* //'
}
request_body="<?xml version=\"1.0\" encoding=\"UTF-8\"?> \
<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"> \
<ChangeBatch> \
<Changes> \
<Change> \
<Action>UPSERT</Action> \
<ResourceRecordSet> \
<Name>${RECORD_NAME}</Name> \
<Type>${RECORD_TYPE}</Type> \
<TTL>${RECORD_TTL}</TTL> \
<ResourceRecords> \
<ResourceRecord> \
<Value>${RECORD_VALUE}</Value> \
</ResourceRecord> \
</ResourceRecords> \
</ResourceRecordSet> \
</Change> \
</Changes> \
</ChangeBatch> \
</ChangeResourceRecordSetsRequest>"
fulldate=$(date --utc +%Y%m%dT%H%M%SZ)
shortdate=$(date --utc +%Y%m%d)
signed_headers="host;x-amz-date"
request_hash=$(hash "$request_body")
canonical_request="POST\n${API_PATH}\n\nhost:route53.amazonaws.com\nx-amz-date:${fulldate}\n\n${signed_headers}\n${request_hash}"
date_key=$(sign_plain "AWS4${AWS_SECRET_ACCESS_KEY}" "${shortdate}")
region_key=$(sign "$date_key" $AWS_REGION)
service_key=$(sign "$region_key" $AWS_SERVICE)
signing_key=$(sign "$service_key" aws4_request)
credential="${shortdate}/${AWS_REGION}/${AWS_SERVICE}/aws4_request"
sigmsg="AWS4-HMAC-SHA256\n${fulldate}\n${credential}\n$(hash "$canonical_request")"
signature=$(sign "$signing_key" "$sigmsg")
authorization="AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${credential}, SignedHeaders=${signed_headers}, Signature=${signature}"
curl \
-X "POST" \
-H "Host: route53.amazonaws.com" \
-H "X-Amz-Date: ${fulldate}" \
-H "Authorization: ${authorization}" \
-H "Content-Type: text/xml" \
-d "$request_body" \
"https://${ENDPOINT}${API_PATH}"