How can I give a user permissions to a Route 53 hosted domain by the command line?

I am not sure if IAM allows for delegation of access to specific zone files within Route53 or not. If it were, I imagine it would boil down to these steps:

• Set up IAM for your account. You may want to set up an "AWS Account Alias" address where your IAM users can log into the parent account.
• Create an IAM group for each permissions-set. So for users you want to delegate control of the company1.com zone you could create a "Company1Admins" group. That way if you need to grant access to more people the permissions will be all set and you can just add them to the group.
• Now the trickier part as you create the group: you need to write or edit a permissions policy for each group. You can probably just start by selecting a template (perhaps the "Amazon Route 53 Full Access" template, and then editing it from there. See the code below for details on the policy.
• Create a user account(s) for those to which you are delegating rights. IAM lets you add specific permissions to users, or to add them to groups with specific permissions. You can assign a password for each user. Additionally, when you create a user you'll be given their access keys (the key ID and the secret key they will need for command-line access) and you can require them to use 2-factor authentication if you like.
• Once your group is created, and your user account is created, simply add your user as a member of the group.
• TEST!!!

About the policy

Here is the default "full admin" template for Route53 permissions within IAM:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

You'll see here that IAM is granting permissions to two things in this policy -- Route53 and ELBs. ELBs are needed by some Route53 users if they are pointing a zone apex as an alias to an ELB address (see http://aws.amazon.com/route53/faqs/#Zone_apex). I would suggest you leave that part unless you know your user will not need that and if it tests fine. This policy only allows the user to list the ELBs and not control them, so it seems the worst risk is that they point their domain to one of your ELBs, which you may at some point want or need.

The * in the allowed actions for Route53 will let your user create, edit, or delete record sets within the zone file that you grant them permissions to.

So the only part that needs editing is the * within the Resource": ["*"] directive. You'll need to hop over into the AWS dashboard's Route53 panel and look up the "Hosted Zone ID" for the domain you want to delegate to, something like ZNMGKD5JKTWVZ (what appears to be a 13 or 14 character string - I just reviewed several zones in my account and some are 13 chars long and some are 14), and then either paste that in place of the * or perhaps just give the first 12/13 or 13/14 of the string and put a * as the last character, or simply test with the entire string and no * at all.

So your policy would end up looking something like this:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:*"
      ],
      "Resource": [
        "arn:aws:route53::::Z5SL2DJKUDXFAK"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

However, looking back on your question, you ask how to do this from the CLI. I'm not sure if you mean perform all the delegation from the CLI or have the user do their DNS work from the CLI? If it's the former, you can control IAM through its API, including specifying the security policy for the group you create.

Here is the IAM tool for the API: http://aws.amazon.com/developertools/AWS-Identity-and-Access-Management/4143

Here are the many calls you can make to that API: http://aws.amazon.com/iam/#detailed_description

Here is a pile of other IAM resources: http://aws.amazon.com/iam/#resources

If the IAM policy needs tweaking, this might be very useful: http://awspolicygen.s3.amazonaws.com/policygen.html

If I get some free time I may try testing this myself and see if it's all clear. I've seen other services where IAM thought it was delegating properly but some user permissions still didn't work perfectly. I'll be interested to see if this is the case in Route53 or not.

Good luck!

Related videos on Youtube