diff --git a/common/aws.sh b/common/aws.sh
index 2f83ccdf..cb86caf9 100644
--- a/common/aws.sh
+++ b/common/aws.sh
@@ -6,6 +6,9 @@
 #
 #   ACM: _aws acm <rpc> <region> [json]
 #        _aws acm ListCertificates us-east-1 '{"MaxItems": 2}'
+#
+#   R53: _aws r53 <verb> <path> [query] [xml]
+#        _aws r53 GET /2013-04-01/hostedzone maxitems=2
 
 _aws() {
   _svc="$1" # _args=...
@@ -33,6 +36,14 @@ _aws_svc_acm() {
     "$_rpc$n$_type" "${_json:-$_empty}"
 }
 
+_aws_svc_r53() {
+  _verb="$1" _path="$2" _query="$3" _xml="$4"
+
+  _aws_wrap '<ErrorResponse' \
+    "$_verb" 'route53.amazonaws.com' "$_path" "$_query" 'us-east-1/route53' \
+    '' "$_xml"
+}
+
 # core
 
 _aws_wrap() {
diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh
index 14a4594d..151edddb 100755
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -9,11 +9,11 @@
 #All `_sleep` commands are included to avoid Route53 throttling, see
 #https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests
 
-AWS_HOST="route53.amazonaws.com"
-AWS_URL="https://$AWS_HOST"
-
 AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"
 
+# shellcheck source=common/aws.sh
+. "$LE_WORKING_DIR/common/aws.sh"
+
 ########  Public functions #####################
 
 #Usage: dns_myapi_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
@@ -21,28 +21,15 @@ dns_aws_add() {
   fulldomain=$1
   txtvalue=$2
 
-  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
-  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
   AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
 
-  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-    _use_container_role || _use_instance_role
-  fi
-
-  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-    AWS_ACCESS_KEY_ID=""
-    AWS_SECRET_ACCESS_KEY=""
-    _err "You haven't specified the aws route53 api key id and and api key secret yet."
+  if ! _aws_auth; then
+    _err "You haven't specifed the aws route53 api key id and and api key secret yet."
     _err "Please create your key and try again. see $(__green $AWS_WIKI)"
     return 1
   fi
 
-  #save for future use, unless using a role which will be fetched as needed
-  if [ -z "$_using_role" ]; then
-    _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
-    _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
-    _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
-  fi
+  _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
 
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
@@ -55,7 +42,8 @@ dns_aws_add() {
   _debug _domain "$_domain"
 
   _info "Getting existing records for $fulldomain"
-  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
+  response="$(_aws r53 GET "/2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT")"
+  if [ "$?" -gt 0 ]; then
     _sleep 1
     return 1
   fi
@@ -77,7 +65,8 @@ dns_aws_add() {
 
   _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
 
-  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
+  response="$(_aws r53 POST "/2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml")"
+  if [ "$?" -eq 0 ] && _contains "$response" "ChangeResourceRecordSetsResponse"; then
     _info "TXT record updated successfully."
     if [ -n "$AWS_DNS_SLOWRATE" ]; then
       _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
@@ -97,14 +86,8 @@ dns_aws_rm() {
   fulldomain=$1
   txtvalue=$2
 
-  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
-  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
   AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
 
-  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-    _use_container_role || _use_instance_role
-  fi
-
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
     _err "invalid domain"
@@ -116,7 +99,8 @@ dns_aws_rm() {
   _debug _domain "$_domain"
 
   _info "Getting existing records for $fulldomain"
-  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
+  response="$(_aws r53 GET "/2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT")"
+  if [ "$?" -gt 0 ]; then
     _sleep 1
     return 1
   fi
@@ -132,7 +116,8 @@ dns_aws_rm() {
 
   _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
 
-  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
+  response="$(_aws r53 POST "/2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml")"
+  if [ "$?" -eq 0 ] && _contains "$response" "ChangeResourceRecordSetsResponse"; then
     _info "TXT record deleted successfully."
     if [ -n "$AWS_DNS_SLOWRATE" ]; then
       _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
@@ -155,7 +140,8 @@ _get_root() {
   i=2
   p=1
 
-  if aws_rest GET "2013-04-01/hostedzone"; then
+  response="$(_aws r53 GET '/2013-04-01/hostedzone')"
+  if [ "$?" -eq 0 ]; then
     while true; do
       h=$(printf "%s" "$domain" | cut -d . -f $i-100)
       _debug2 "Checking domain: $h"
@@ -164,7 +150,8 @@ _get_root() {
           _debug "IsTruncated"
           _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
           _debug "NextMarker" "$_nextMarker"
-          if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then
+          response="$(_aws r53 GET '/2013-04-01/hostedzone' "marker=$_nextMarker")"
+          if [ "$?" -eq 0 ]; then
             _debug "Truncated request OK"
             i=2
             p=1
@@ -198,168 +185,3 @@ _get_root() {
   fi
   return 1
 }
-
-_use_container_role() {
-  # automatically set if running inside ECS
-  if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
-    _debug "No ECS environment variable detected"
-    return 1
-  fi
-  _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
-}
-
-_use_instance_role() {
-  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
-  _debug "_url" "$_url"
-  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
-    _debug "Unable to fetch IAM role from instance metadata"
-    return 1
-  fi
-  _aws_role=$(_get "$_url" "" 1)
-  _debug "_aws_role" "$_aws_role"
-  _use_metadata "$_url$_aws_role"
-}
-
-_use_metadata() {
-  _aws_creds="$(
-    _get "$1" "" 1 |
-      _normalizeJson |
-      tr '{,}' '\n' |
-      while read -r _line; do
-        _key="$(echo "${_line%%:*}" | tr -d '"')"
-        _value="${_line#*:}"
-        _debug3 "_key" "$_key"
-        _secure_debug3 "_value" "$_value"
-        case "$_key" in
-        AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
-        SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
-        Token) echo "AWS_SESSION_TOKEN=$_value" ;;
-        esac
-      done |
-      paste -sd' ' -
-  )"
-  _secure_debug "_aws_creds" "$_aws_creds"
-
-  if [ -z "$_aws_creds" ]; then
-    return 1
-  fi
-
-  eval "$_aws_creds"
-  _using_role=true
-}
-
-#method uri qstr data
-aws_rest() {
-  mtd="$1"
-  ep="$2"
-  qsr="$3"
-  data="$4"
-
-  _debug mtd "$mtd"
-  _debug ep "$ep"
-  _debug qsr "$qsr"
-  _debug data "$data"
-
-  CanonicalURI="/$ep"
-  _debug2 CanonicalURI "$CanonicalURI"
-
-  CanonicalQueryString="$qsr"
-  _debug2 CanonicalQueryString "$CanonicalQueryString"
-
-  RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
-  _debug2 RequestDate "$RequestDate"
-
-  #RequestDate="20161120T141056Z" ##############
-
-  export _H1="x-amz-date: $RequestDate"
-
-  aws_host="$AWS_HOST"
-  CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
-  SignedHeaders="host;x-amz-date"
-  if [ -n "$AWS_SESSION_TOKEN" ]; then
-    export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
-    CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
-    SignedHeaders="${SignedHeaders};x-amz-security-token"
-  fi
-  _debug2 CanonicalHeaders "$CanonicalHeaders"
-  _debug2 SignedHeaders "$SignedHeaders"
-
-  RequestPayload="$data"
-  _debug2 RequestPayload "$RequestPayload"
-
-  Hash="sha256"
-
-  CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)"
-  _debug2 CanonicalRequest "$CanonicalRequest"
-
-  HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)"
-  _debug2 HashedCanonicalRequest "$HashedCanonicalRequest"
-
-  Algorithm="AWS4-HMAC-SHA256"
-  _debug2 Algorithm "$Algorithm"
-
-  RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)"
-  _debug2 RequestDateOnly "$RequestDateOnly"
-
-  Region="us-east-1"
-  Service="route53"
-
-  CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
-  _debug2 CredentialScope "$CredentialScope"
-
-  StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
-
-  _debug2 StringToSign "$StringToSign"
-
-  kSecret="AWS4$AWS_SECRET_ACCESS_KEY"
-
-  #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
-
-  _secure_debug2 kSecret "$kSecret"
-
-  kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
-  _secure_debug2 kSecretH "$kSecretH"
-
-  kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
-  _debug2 kDateH "$kDateH"
-
-  kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)"
-  _debug2 kRegionH "$kRegionH"
-
-  kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)"
-  _debug2 kServiceH "$kServiceH"
-
-  kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)"
-  _debug2 kSigningH "$kSigningH"
-
-  signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)"
-  _debug2 signature "$signature"
-
-  Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
-  _debug2 Authorization "$Authorization"
-
-  _H2="Authorization: $Authorization"
-  _debug _H2 "$_H2"
-
-  url="$AWS_URL/$ep"
-  if [ "$qsr" ]; then
-    url="$AWS_URL/$ep?$qsr"
-  fi
-
-  if [ "$mtd" = "GET" ]; then
-    response="$(_get "$url")"
-  else
-    response="$(_post "$data" "$url")"
-  fi
-
-  _ret="$?"
-  _debug2 response "$response"
-  if [ "$_ret" = "0" ]; then
-    if _contains "$response" "<ErrorResponse"; then
-      _err "Response error:$response"
-      return 1
-    fi
-  fi
-
-  return "$_ret"
-}