From 1c8e25bc793e0c44dde4f059753d7d5295b04d8f Mon Sep 17 00:00:00 2001
From: Alessandro Ogier <alessandro.ogier@gmail.com>
Date: Mon, 17 Feb 2025 15:41:42 +0100
Subject: [PATCH] acme/dns01/route53: document stricter IAM policy

Signed-off-by: Alessandro Ogier <alessandro.ogier@gmail.com>
---
 content/docs/configuration/acme/dns01/route53.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/content/docs/configuration/acme/dns01/route53.md b/content/docs/configuration/acme/dns01/route53.md
index 6815dcf0ab..0bd2d79c18 100644
--- a/content/docs/configuration/acme/dns01/route53.md
+++ b/content/docs/configuration/acme/dns01/route53.md
@@ -35,7 +35,12 @@ permissions:
         "route53:ChangeResourceRecordSets",
         "route53:ListResourceRecordSets"
       ],
-      "Resource": "arn:aws:route53:::hostedzone/*"
+      "Resource": "arn:aws:route53:::hostedzone/*",
+      "Condition": {
+        "ForAllValues:StringEquals": {
+          "route53:ChangeResourceRecordSetsRecordTypes": ["TXT"]
+        }
+      }
     },
     {
       "Effect": "Allow",