crl-storer: load whole AWS config files (#6309)

Allow the crl-storer to load whole AWS config files. Although
this requires a deployment to maintain an additional config
files for the crl-storer, and one in a format we usually don't
use, it does give us lots of flexibility in setting up things like
role assumption.

Also remove the S3Region config flag, as it is now redundant
with the contents of the config file, and rename the existing
S3CredsFile config key to AWSCredsFile to better represent
its true contents.

Fixes #6308

cmd/crl-storer/main.go

@@ -37,15 +37,17 @@ type Config struct {
 		// service, or to point to a fake service for testing. It should be left
 		// blank by default.
 		S3Endpoint string
-		// S3Region is the AWS Region (e.g. us-west-1) that uploads should go to.
-		S3Region string
 		// S3Bucket is the AWS Bucket that uploads should go to. Must be created
 		// (and have appropriate permissions set) beforehand.
 		S3Bucket string
-		// S3CredsFile is the path to a file on disk containing AWS credentials.
+		// AWSConfigFile is the path to a file on disk containing an AWS config.
+		// The format of the configuration file is specified at
+		// https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html.
+		AWSConfigFile string
+		// AWSCredsFile is the path to a file on disk containing AWS credentials.
 		// The format of the credentials file is specified at
 		// https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html.
-		S3CredsFile string
+		AWSCredsFile string
 
 		Features map[string]bool
 	}
@@ -103,16 +105,14 @@ func main() {
 		issuers = append(issuers, cert)
 	}
 
-	// Load the "default" AWS configuration, but override the set of config files
-	// it reads from to be the empty set, and override the set of credentials
-	// files it reads from to be just the one file specified in the Config. This
-	// helps stop us from accidentally loading unexpected or undesired config.
-	// Note that it *will* still load configuration from environment variables.
+	// Load the "default" AWS configuration, but override the set of config and
+	// credential files it reads from to just those specified in our JSON config,
+	// to ensure that it's not accidentally reading anything from the homedir or
+	// its other default config locations.
 	awsConfig, err := config.LoadDefaultConfig(
 		context.Background(),
-		config.WithSharedConfigFiles([]string{}),
-		config.WithSharedCredentialsFiles([]string{c.CRLStorer.S3CredsFile}),
-		config.WithRegion(c.CRLStorer.S3Region),
+		config.WithSharedConfigFiles([]string{c.CRLStorer.AWSConfigFile}),
+		config.WithSharedCredentialsFiles([]string{c.CRLStorer.AWSCredsFile}),
 		config.WithHTTPClient(new(http.Client)),
 		config.WithLogger(awsLogger{logger}),
 		config.WithClientLogMode(aws.LogRequestEventMessage|aws.LogResponseEventMessage),

test/config-next/crl-storer.ini

@@ -0,0 +1,2 @@
+[default]
+region=us-west-1

test/config-next/crl-storer.json

@@ -20,9 +20,9 @@
       "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "s3Endpoint": "http://localhost:7890",
-    "s3Region": "us-west-1",
     "s3Bucket": "lets-encrypt-crls",
-    "s3CredsFile": "test/secrets/aws_creds.ini"
+    "awsConfigFile": "test/config-next/crl-storer.ini",
+    "awsCredsFile": "test/secrets/aws_creds.ini"
   },
 
   "syslog": {

test/config/crl-storer.ini

@@ -0,0 +1,2 @@
+[default]
+region=us-west-1

test/config/crl-storer.json

@@ -20,9 +20,9 @@
       "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "s3Endpoint": "http://localhost:7890",
-    "s3Region": "us-west-1",
     "s3Bucket": "lets-encrypt-crls",
-    "s3CredsFile": "test/secrets/aws_creds.ini"
+    "awsConfigFile": "test/config/crl-storer.ini",
+    "awsCredsFile": "test/secrets/aws_creds.ini"
   },
 
   "syslog": {