cert-manager IAM policy and arn:aws:route53:::change/*

Question

the official docs has the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": "arn:aws:route53:::hostedzone/HOSTED_ZONE_IN"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

but I can't find anything in AWS official docs about the "Resource":"arn:aws:route53:::change/*"

What is it?

Refer to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html#amazonroute53-change — Ermiya Eskandary, May 03 '22 at 19:40
@Ermiya Eskandary What's the `${Id}` field in `arn:${Partition}:route53:::change/${Id}`. Is that "Hosted zone ID" or some record type ID? It's not clear. — t7e, Aug 14 '22 at 13:01

score 1 · Accepted Answer · answered Aug 07 '22 at 15:22

When route53 is updated, "change ID" is returned back to the caller. It can then be used to track record propagation as nothing happens immediately. That's what cert-manager does It just has two states: "PENDING" and "INSYNC". When "INSYNC", actual DNS servers are ready to serve the record and cert-manager may proceed with issuing a certificate Change ID is impossible to predict, therefore IAM policy requires asterisk at the end of ARN

cert-manager IAM policy and arn:aws:route53:::change/*

1 Answers1