Page tree
Skip to end of metadata
Go to start of metadata

This is useful to create policies, for example, to allow LetsEncrypt to update DNS TXT records for certificate issuance.

Get your Zone ID

This is on the Route53 'Hosted Zones' page, and looks like ZZZZZZZZZ

Create IAM Policy

In 'IAM', 'Policies', click on 'Create Policy', and then select Json. Paste the following JSON into the box, replacing the Zone ID above with your Zone ID. If you want to allow multiple zones to be updated, simply add a second zone ID to the Resource (ZFGHIJKLMNOPQ example below) element.  Note that this policy also grants 'list all domains', which may be a security issue in your setting. If so, remove the 'listHostedZones' section.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetHostedZone",
                "route53:ListResourceRecordSets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:route53:::hostedzone/ZKABCDEFGHIJK",
                "arn:aws:route53:::hostedzone/ZFGHIJKLMNOPQ"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": "arn:aws:route53:::change/*"
        }
    ]
}

Name it

Click on 'Review Policy' and make sure you haven't typo'ed anything.

Create a new user to use this policy

Only enable 'Programmatic Access'

Link policy to user

Finish and get keys

After you click 'Review' and 'Finish' you will be presented with your new IAM keys. 

  • No labels