From b65cdde8a96d345f178b21a4408fc9e695af899c Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Tue, 27 Feb 2018 14:50:49 -0500
Subject: [PATCH 1/2] Document the minimum permissions for using cert-manager
 with Route53

---
 docs/api-types/issuer/spec.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/docs/api-types/issuer/spec.md b/docs/api-types/issuer/spec.md
index d60b905e7..7b6e76860 100644
--- a/docs/api-types/issuer/spec.md
+++ b/docs/api-types/issuer/spec.md
@@ -126,12 +126,40 @@ clouddns:
 ```yaml
 route53:
   accessKeyID: AKIAIOSFODNN7EXAMPLE
+  hostedZoneID: DIKER8JPL21PSA
   region: eu-west-1
   secretAccessKeySecretRef:
     name: prod-route53-credentials-secret
     key: secret-access-key
 ```
 
+Cert-manager requires the following IAM policy.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "route53:GetChange",
+            "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ChangeResourceRecordSets",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ListHostedZonesByName",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        }
+    ]
+}
+```
+
+The `route53:ListHostedZonesByName` statement can be removed if you specify the hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
+
 ##### Cloudflare
 
 ```yaml

From ffeedf7d5d00441f245a00037d12f18c843ccb70 Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Thu, 1 Mar 2018 09:21:13 -0500
Subject: [PATCH 2/2] Remove non-recommended hostedZoneID from Route53 example

---
 docs/api-types/issuer/spec.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/api-types/issuer/spec.md b/docs/api-types/issuer/spec.md
index 7b6e76860..aca8c6fb7 100644
--- a/docs/api-types/issuer/spec.md
+++ b/docs/api-types/issuer/spec.md
@@ -126,7 +126,6 @@ clouddns:
 ```yaml
 route53:
   accessKeyID: AKIAIOSFODNN7EXAMPLE
-  hostedZoneID: DIKER8JPL21PSA
   region: eu-west-1
   secretAccessKeySecretRef:
     name: prod-route53-credentials-secret
@@ -158,7 +157,7 @@ Cert-manager requires the following IAM policy.
 }
 ```
 
-The `route53:ListHostedZonesByName` statement can be removed if you specify the hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
+The `route53:ListHostedZonesByName` statement can be removed if you specify the optional hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
 
 ##### Cloudflare