From c4bb8d91b5ea7a34e5560ed9456cbeff8a5eb527 Mon Sep 17 00:00:00 2001
From: John Wells <madmodmail@gmail.com>
Date: Mon, 23 Apr 2018 17:43:57 -0600
Subject: [PATCH 1/2] Fix AWS DNS policy example

After testing the suggested policy both with the AWS policy simulator and by using it with cert-manager I have found that the ARN prefix in the resources included in the statement cause the provider to fail with an access denied error. This new policy is equivalent and valid according to the AWS policy simulator.
---
 docs/reference/issuers/acme/dns01.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/reference/issuers/acme/dns01.rst b/docs/reference/issuers/acme/dns01.rst
index af7b043ea..77a811fe8 100644
--- a/docs/reference/issuers/acme/dns01.rst
+++ b/docs/reference/issuers/acme/dns01.rst
@@ -76,17 +76,17 @@ Cert-manager requires the following IAM policy.
            {
                "Effect": "Allow",
                "Action": "route53:GetChange",
-               "Resource": "arn:aws:route53:::change/*"
+               "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "route53:ChangeResourceRecordSets",
-               "Resource": "arn:aws:route53:::hostedzone/*"
+               "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "route53:ListHostedZonesByName",
-               "Resource": "arn:aws:route53:::hostedzone/*"
+               "Resource": "*"
            }
        ]
    }

From 7ad604cdc7e6d73222a639e0d1f950dd8be9b069 Mon Sep 17 00:00:00 2001
From: John Wells <madmodmail@gmail.com>
Date: Mon, 18 Jun 2018 13:53:09 -0600
Subject: [PATCH 2/2] Fix IAM policy warnings

---
 docs/reference/issuers/acme/dns01.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/reference/issuers/acme/dns01.rst b/docs/reference/issuers/acme/dns01.rst
index 77a811fe8..574357a55 100644
--- a/docs/reference/issuers/acme/dns01.rst
+++ b/docs/reference/issuers/acme/dns01.rst
@@ -76,12 +76,12 @@ Cert-manager requires the following IAM policy.
            {
                "Effect": "Allow",
                "Action": "route53:GetChange",
-               "Resource": "*"
+               "Resource": "arn:aws:route53:::change/*"
            },
            {
                "Effect": "Allow",
                "Action": "route53:ChangeResourceRecordSets",
-               "Resource": "*"
+               "Resource": "arn:aws:route53:::hostedzone/*"
            },
            {
                "Effect": "Allow",