Documentation: IAM roles required

The documentation should probably mention the minimum IAM roles needed for route53 for this to work. The following worked for me (single hosted zone, wildcard subdomains) although it could surely be improved with eg conditional matching policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/ZZZZZZZZ"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "route53:ListResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/ZZZZZZZZ"
        }
    ]
}

(Replace ZZZZZZZZ with your zone id)

There the minimal IAM policy required: https://github.com/libdns/route53

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ListResourceRecordSets",
                "route53:GetChange",
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/Zone_Id",
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZonesByName",
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        }
    ]
}

As you can see there the additional route53:GetChange access and the arn:aws:route53:::change/* resource.

This is used when a non-documented wait_for_propagation option was set:

// Provider implements the libdns interfaces for Route53
type Provider struct {
  MaxRetries         int           `json:"max_retries,omitempty"`
  MaxWaitDur         time.Duration `json:"max_wait_dur,omitempty"`
  WaitForPropagation bool          `json:"wait_for_propagation,omitempty"`
  Region             string        `json:"region,omitempty"`
  AWSProfile         string        `json:"aws_profile,omitempty"`
  AccessKeyId        string        `json:"access_key_id,omitempty"`
  SecretAccessKey    string        `json:"secret_access_key,omitempty"`
  Token              string        `json:"token,omitempty"`
  client             *r53.Client
}

// Waiting for propagation if it's set in the provider config.
if p.WaitForPropagation {
  changeInput := &r53.GetChangeInput{
    Id: changeResult.ChangeInfo.Id,
  }

  // Wait for the RecordSetChange status to be "INSYNC"
  waiter := r53.NewResourceRecordSetsChangedWaiter(p.client)
  err = waiter.Wait(ctx, changeInput, p.MaxWaitDur)
  if err != nil {
    return err
  }
}

Route53 API / GetChange

Returns the current status of a change batch request. The status is one of the following values:

PENDING indicates that the changes in this request have not propagated to all Amazon Route 53 DNS servers managing the hosted zone. This is the initial status of all change batch requests.
INSYNC indicates that the changes have propagated to all Route 53 DNS servers managing the hosted zone.

caddy-dns / route53

Documentation: IAM roles required #31