Creating the Route 53 IAM Policy

AWS Identity & Access Management (IAM) manages credentials for the ATC Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, updating records in the Route 53 service,or associating IAM roles with a new instance.

The Route 53 IAM Policy allows the Cluster Manager and its nodes to access Route 53, a scalable cloud DNS web service that manages connections between users and applications running in AWS. This policy is used by the atc-route53 IAM role.

Important: If Route 53 is on a separate AWS account from your Cluster Manager, create the Route 53 IAM policy on the account with Route 53.
  1. From the AWS console, go to Security & Identity > Identity & Access Management and select Policies from the Details sidebar.
  2. Click Create Policy. Select the Create Your Own Policy option.
  3. Name the new policy atc-route53-policy.
  4. Enter the following policy into the Policy Document field.
    {
        "Version": "2012-10-17", 
        "Statement": [ 
            { 
                "Effect": "Allow",
                "Action": [
                    "route53:GetHostedZone",
                    "route53:ChangeResourceRecordSets", 
                    "route53:ListResourceRecordSets"
                ],
                "Resource": "arn:aws:route53:::hostedzone/target_host_zone_id"
            }, 
            { 
                "Effect": "Allow", 
                "Action": [ 
                    "route53:ListHostedZones"
                ], 
                "Resource": "*" 
            } 
        ] 
    }

    Substitute target_host_zone_id with the Route 53 Hosted Zone ID of your DNS Hosted Zone. The Hosted Zone ID can be found in the Route 53 dashboard. From the AWS Console, go to Networking > Route 53 and select Hosted Zones from the left sidebar.

    For example, if the Hosted Zone ID for your Route 53 is Z1ZXQD414LGXRA, then the Resource object would be the following:

    "Resource": "arn:aws:route53:::hostedzone/Z1ZXQD414LGXRA"

    If you are using split-view DNS, list all the Hosted Zone IDs. For example,

    "Resource": [
                  "arn:aws:route53:::hostedzone/Z1ZXQD414LGXRA",
                  "arn:aws:route53:::hostedzone/Z20Y3CXFK4N2BN"
             ]
  5. Click Validate Policy to check for formatting issues. The policy must be well-formed JSON text.
  6. Click Create Policy.