external-dns: aws duplicate zones

In AWS you can create a private dns zone that has the same domain name as a public zone. So in my case I might have

Public

• mysite.com

And I may have multiple VPCs that each have a private zone of the same name Private

• mysite.com -> private to VPC-A
• mysite.com -> private to VPC-B

If I give external-dns that’s running in VPC-A access only to the public mysite.com and the private mysite.com in VPC-A and use a domain-filter=mysite.com.

It attempts to list the hosted zones and it calls route53:ListResourceRecordSets, but once it encounters VPC-Bs mysite.com it responds with an error and no longer processes the other zones that it can actually reach.

time="2017-06-07T19:01:25Z" level=error msg="AccessDenied: User: arn:aws:sts::ACCCOUNT:assumed-role/sstarcher-worker-dns-role/cb6a49a4-sstarcher-worker-dns-role is not authorized to perform: route53:ListResourceRecordSets on resource: arn:aws:route53:::hostedzone/XXXXXXX
	status code: 403, request id: b4485da9-4bb3-11e7-84b0-XXXXXXX"

It would be helpful in this case if it ignored the zone it does not have access to, but continued on to the other zones. Currently the only work around I know of is to give it access to all of my zones, but someone with access to the cluster could create dns entries in zones that they should not be using.