Merge pull request #359 from wmedlar/document-route53-policy

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Document the minimum necessary permissions for using cert-manager with Route53 **What this PR does / why we need it**: Necessary permissions previously not documented. **Release note**: ```release-note Document the minimum necessary permissions for using cert-manager with Route53 ```
2018-03-01 15:24:06 +00:00 · 2018-03-01 15:24:06 +00:00 · 35fd53028e
commit 35fd53028e
parent 09fbbb4d4a ffeedf7d5d
1 changed files with 27 additions and 0 deletions
--- a/docs/api-types/issuer/spec.md
+++ b/docs/api-types/issuer/spec.md
@ -132,6 +132,33 @@ route53:
    key: secret-access-key
 ```

+Cert-manager requires the following IAM policy.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "route53:GetChange",
+            "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ChangeResourceRecordSets",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ListHostedZonesByName",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        }
+    ]
+}
+```
+
+The `route53:ListHostedZonesByName` statement can be removed if you specify the optional hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
+
 ##### Cloudflare

 ```yaml