ROUTE53: Document Minimum access policy learned from #548 (#586)

docs/_providers/route53.md

@@ -10,12 +10,12 @@ You can specify the API credentials in the credentials json file:
 
 {% highlight json %}
 {
- "r53_main":{
-      "KeyId": "your-aws-key",
-      "SecretKey": "your-aws-secret-key",
-      "Token": "optional-sts-token",
-      "DelegationSet" : "optional-delegation-set-id"
- }
+    "r53_main": {
+        "KeyId": "your-aws-key",
+        "SecretKey": "your-aws-secret-key",
+        "Token": "optional-sts-token",
+        "DelegationSet" : "optional-delegation-set-id"
+    }
 }
 {% endhighlight %}
 
@@ -29,17 +29,17 @@ $ export AWS_SESSION_TOKEN=ZZZZZZZZ
 
 {% highlight json %}
 {
- "r53_main":{
-      "KeyId": "$AWS_ACCESS_KEY_ID",
-      "SecretKey": "$AWS_SECRET_ACCESS_KEY"
- }
+    "r53_main": {
+        "KeyId": "$AWS_ACCESS_KEY_ID",
+        "SecretKey": "$AWS_SECRET_ACCESS_KEY"
+    }
 }
 {% endhighlight %}
 
 Alternatively if you want to used [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) you need to export the following variables
 
 ```
-$ export AWS_SDK_LOAD_CONFIG=1 
+$ export AWS_SDK_LOAD_CONFIG=1
 $ export AWS_PROFILE=ZZZZZZZZ
 ```
 
@@ -52,22 +52,46 @@ This provider does not recognize any special metadata fields unique to route 53.
 Example Javascript:
 
 {% highlight js %}
-var REG_NONE = NewRegistrar('none','NONE');
+var REG_NONE = NewRegistrar('none', 'NONE');
 var R53 = NewDnsProvider('r53_main', 'ROUTE53');
 
 D('example.tld', REG_NONE, DnsProvider(R53),
     A('test','1.2.3.4')
 );
-{%endhighlight%}
+{% endhighlight %}
 
 ## Activation
-DNSControl depends on a standard [AWS access key](https://aws.amazon.com/developers/access-keys/) with permission to list, create and update hosted zones.
+DNSControl depends on a standard [AWS access key](https://aws.amazon.com/developers/access-keys/) with permission to list, create and update hosted zones. If you do not have the permissions required you will receive the following error message `Check your credentials, your not authorized to perform actions on Route 53 AWS Service`.
+
+You can apply the `AmazonRoute53FullAccess` policy however this includes access to many other areas of AWS. The minimum permissions required are as follows:
+
+{% highlight json %}
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:CreateHostedZone",
+                "route53:GetHostedZone",
+                "route53:ListHostedZones",
+                "route53:ChangeResourceRecordSets",
+                "route53:ListResourceRecordSets",
+                "route53:UpdateHostedZoneComment"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+{% endhighlight %}
+
+If Route53 is also your registrar, you will need `route53domains:UpdateDomainNameservers` and `route53domains:GetDomainDetail` as well and possibly others.
 
 ## New domains
 If a domain does not exist in your Route53 account, DNSControl will *not* automatically add it with the `push` command. You can do that either manually via the control panel, or via the command `dnscontrol create-domains` command.
 
 ## Delegation Sets
-Creation of new delegation sets are not supported by this code.  However, if you have a delegation set already created, ala:
+Creation of new delegation sets are not supported by this code. However, if you have a delegation set already created, ala:
 
 ```
 $ aws route53 create-reusable-delegation-set --caller-reference "foo"
@@ -89,7 +113,7 @@ $ aws route53 create-reusable-delegation-set --caller-reference "foo"
 You can then reference the DelegationSet.Id in your `r53_main` block (with your other credentials) to have all created domains placed in that
 delegation set.  Note that you you only want the portion of the `Id` after the `/delegationset/` (the `12312312123` in the example above).
 
-> Delegation sets only apply during `create-domains` at the moment.  Further work needs to be done to have them apply during `push`.
+> Delegation sets only apply during `create-domains` at the moment. Further work needs to be done to have them apply during `push`.
 
 ## Caveats
 This code may not function properly if a domain has R53 as a Registrar
@@ -105,7 +129,7 @@ Error getting corrections: AccessDeniedException: User: arn:aws:iam::86839973084
 Done. 1 corrections.
 ```
 
-If this happens to you, we'd appreciate it if you could help us fix the code.  In the meanwhile, you can give the account additional IAM permissions so that it can do DNS-related actions, or simply use `NewRegistrar(..., 'NONE')` for now.
+If this happens to you, we'd appreciate it if you could help us fix the code. In the meanwhile, you can give the account additional IAM permissions so that it can do DNS-related actions, or simply use `NewRegistrar(..., 'NONE')` for now.
 
 ## Error messages
 
@@ -117,7 +141,7 @@ Creating r53 dns provider: NoCredentialProviders: no valid providers in chain. D
 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
 ```
 
-This means that the creds.json entry isn't found. Either there is no entry, or the entry name doesn't match the first parameter in the `NewDnsProvider()` call.  In the above example, note
+This means that the creds.json entry isn't found. Either there is no entry, or the entry name doesn't match the first parameter in the `NewDnsProvider()` call. In the above example, note
 that the string `r53_main` is specified in `NewDnsProvider('r53_main', 'ROUTE53')` and that is the exact key used in the creds file above.
 
 ### Invalid KeyId
@@ -139,3 +163,13 @@ Creating r53_main dns provider: SignatureDoesNotMatch: The request signature we
 ```
 
 This means the SecretKey is incorrect. It may be a quoting issue.
+
+### Incomplete Signature
+
+```
+$  ./dnscontrol preview
+IncompleteSignature: 'ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential= ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=571c0b13205669a338f0fb9f351dc03c7016c8737c738081bc885c68378ad877'.
+        status code: 403, request id: 12a34b5c-d678-9e01-f2gh-3456i7jk89lm
+```
+
+This means a space is present in one or more of the credential values.