From 91cb0f8297bc51bcd3dd942f7ddcee2cd6a02a86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Pawe=C5=82=20G=C5=82azik?= <zytek@nuxi.pl>
Date: Mon, 20 Feb 2017 18:33:10 +0100
Subject: [PATCH] docs: reflect changes made in #1871

---
 docs/iam_roles.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/iam_roles.md b/docs/iam_roles.md
index 09e100e7bc..bb2a0c4842 100644
--- a/docs/iam_roles.md
+++ b/docs/iam_roles.md
@@ -10,7 +10,6 @@ Master permissions:
 
 ```
 ec2:*
-route53:*
 elasticloadbalancing:*
 ecr:GetAuthorizationToken
 ecr:BatchCheckLayerAvailability
@@ -19,6 +18,11 @@ ecr:GetRepositoryPolicy
 ecr:DescribeRepositories
 ecr:ListImages
 ecr:BatchGetImage
+route53:ListHostedZones
+route53:GetChange
+// The following permissions are scoped to AWS Route53 HostedZone used to bootstrap the cluster
+// arn:aws:route53:::hostedzone/$hosted_zone_id
+route53:ChangeResourceRecordSets, ListResourceRecordSets, GetHostedZone
 
 // The following permissions are only created if you are using etcd volumes with "encrypted: true" and a custom kmsKeyId.
 // They are scoped to the kmsKeyId that you are using.
@@ -36,7 +40,6 @@ Node permissions:
 
 ```
 ec2:Describe*
-route53:*
 ecr:GetAuthorizationToken
 ecr:BatchCheckLayerAvailability
 ecr:GetDownloadUrlForLayer
@@ -44,6 +47,11 @@ ecr:GetRepositoryPolicy
 ecr:DescribeRepositories
 ecr:ListImages
 ecr:BatchGetImage
+route53:ListHostedZones
+route53:GetChange
+// The following permissions are scoped to AWS Route53 HostedZone used to bootstrap the cluster
+// arn:aws:route53:::hostedzone/$hosted_zone_id
+route53:ChangeResourceRecordSets, ListResourceRecordSets, GetHostedZone
 ```
 
 ## Adding Additional Policies