Document the minimum permissions for using cert-manager with Route53

2018-02-27 14:50:49 -05:00 · 2018-02-27 14:50:49 -05:00 · b65cdde8a9
commit b65cdde8a9
parent 8022e6ab93
1 changed files with 28 additions and 0 deletions
--- a/docs/api-types/issuer/spec.md
+++ b/docs/api-types/issuer/spec.md
@ -126,12 +126,40 @@ clouddns:
 ```yaml
 route53:
  accessKeyID: AKIAIOSFODNN7EXAMPLE
+  hostedZoneID: DIKER8JPL21PSA
  region: eu-west-1
  secretAccessKeySecretRef:
    name: prod-route53-credentials-secret
    key: secret-access-key
 ```

+Cert-manager requires the following IAM policy.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "route53:GetChange",
+            "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ChangeResourceRecordSets",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ListHostedZonesByName",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        }
+    ]
+}
+```
+
+The `route53:ListHostedZonesByName` statement can be removed if you specify the hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
+
 ##### Cloudflare

 ```yaml