diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml
index 3542823..4cfe028 100644
--- a/bitbucket-pipelines.yml
+++ b/bitbucket-pipelines.yml
@@ -72,4 +72,9 @@ pipelines:
               variables:
                 KUBE_CONFIG: $KUBE_CONFIG
                 KUBECTL_COMMAND: 'apply'
-                RESOURCE_PATH: 'k8s/linode-autoscaler/'
\ No newline at end of file
+                RESOURCE_PATH: 'k8s/linode-autoscaler/'
+            - pipe: atlassian/kubectl-run:1.1.2
+              variables:
+                KUBE_CONFIG: $KUBE_CONFIG
+                KUBECTL_COMMAND: 'apply'
+                RESOURCE_PATH: 'k8s/external-dns/'
\ No newline at end of file
diff --git a/k8s/external-dns/credentials.yaml b/k8s/external-dns/credentials.yaml
deleted file mode 100644
index e605e2e..0000000
--- a/k8s/external-dns/credentials.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-provider: aws
-aws:
-    secretKey: lj85CIIik/83V980VKEPfqlOWtutEM3s7bSqMZNH
-    accessKey: AKIA2SXEHOQFBQRGCSST
\ No newline at end of file
diff --git a/k8s/external-dns/deployment.yaml b/k8s/external-dns/deployment.yaml
index 72d7584..3eafe33 100644
--- a/k8s/external-dns/deployment.yaml
+++ b/k8s/external-dns/deployment.yaml
@@ -1,3 +1,36 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["extensions","networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get","watch","list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: default
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -12,20 +45,24 @@ spec:
     metadata:
       labels:
         app: external-dns
-      # If you're using kiam or kube2iam, specify the following annotation.
-      # Otherwise, you may safely omit it.
-      annotations:
-        iam.amazonaws.com/role: arn:aws:iam::ACCOUNT-ID:role/IAM-SERVICE-ROLE-NAME
     spec:
+      serviceAccountName: external-dns
       containers:
       - name: external-dns
         image: k8s.gcr.io/external-dns/external-dns:v0.7.6
+        env:
+        - name: AWS_ACCESS_KEY_ID
+          value: "AKIA2SXEHOQFBQRGCSST"
+        - name: AWS_SECRET_ACCESS_KEY
+          value: "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"
         args:
-        - --source=service
         - --source=ingress
-        - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+        - --source=service
+        - --domain-filter=video.jamkazam.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
         - --provider=aws
         - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
         - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
         - --registry=txt
-        - --txt-owner-id=my-hostedzone-identifier
\ No newline at end of file
+        - --txt-owner-id=my-hostedzone-identifier
+      securityContext:
+        fsGroup: 65534
\ No newline at end of file