It would be really useful* to be able to put both the zip file of the lambda and the yml configuration file at arbitrary paths within the S3 bucket - buckets are limited to 100 per account as a hard limit, so are a reasonably scarce resource.

I think this could be done by:

• edits to letslambda.json
  • tell the rule input to include an attribute which is the S3 key to find a configuration file at
  • change the function definition to take S3Key from a parameter
    • add said parameter
• edit to letslambda.py#load_config so that get_key took a value from the event incoming

*useful in that:

• I could put the zip and config in different already-existing bucket(s) rather than devote a whole bucket to it
• I could define and push the lambda, and then configure it to manage various ELBs via CloudWatch Rules that contain different payloads including the path to S3 of the config for that particular ELB

This is some good input. Thanks for this.

We are also thinking into automating the creation of the bucket and enforce a certain number of rules to prevent a wrong configuration and potential leak of your private keys and potentially using KMS on the private key.

Thoughts ?

@kiddouk Personally I wouldn't need the bucket creation to be automated in any way - I already have buckets that are appropriate to use, were it possible for letslambda to slot into those more symbiotically.

I think enforcing a set of rules is a great addition - sounds like integration tests? Using KMS on the private key also sounds like a good idea, though I've no experience with KMS beyond trying to create a key and stumbling during the getting-started. If I've understood letslambda correctly then it generates a private key if one isn't given, correct? Is it a terrible idea to never know the private key that letsencrypt will generate if one isn't provided...? Or does that get written to S3 once it's generated and the issue is security of that material?

The creation of the bucket should be done only if it doesn't exists. But I am unsure if CF supports that at the moment.
The rules for SSE/KMS should be enforced at the directly level I think.

Never knowing you private key is not a terrible idea. In any case, you can retrieve it yourself since you are the owner of the bucket. But the use cases are limited anyway.

Yes, if you dont give any key, we will generate a RSA 4096 key for you. Which gets stored at generation time.

Later in the logic, the certificate issuance will use it to create a CSR.

While you may not be interested in the private key itself, you may be interested in the public key that will be in your installed certificate if you ever want to so some Public Key pinning for any mobile app.