Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Google Cloud DNS API roles. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a user, giving the user certain permissions. For example, an administrator may need to create and modify DNS records, so would get a /roles/dns.admin role, whereas a support department may only need to view existing ones, so would get a /roles/dns.reader role.

Permissions and Roles

Every Google Cloud DNS API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the primitive roles owner, editor, and viewer, you can grant Google Cloud DNS API roles to the users of your project.


The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
dns.changes.create for creating a resource record set dns.changes.create and dns.resourceRecordSets.create on the requested record set
dns.changes.create for updating a resource record set dns.changes.create and dns.resourceRecordSets.update on the requested record set
dns.changes.create for deleting a resource record set dns.changes.create and dns.resourceRecordSets.delete on the requested record set
dns.changes.get dns.changes.get on the managed zone
dns.changes.list dns.changes.list on the managed zone
dns.managedZones.create dns.managedZones.create for the project
dns.managedZones.delete dns.managedZones.delete for the managed zone
dns.managedZones.get dns.managedZones.get for the managed zone
dns.managedZones.list dns.managedZones.list for the project
dns.projects.get dns.projects.get for the project
dns.resourceRecordSets.list dns.resourceRecordSets.list for the managed zone


The following table lists the Google Cloud DNS API IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Role includes permission(s): for resource type:
/roles/dns.admin or /roles/owner* or /roles/editor* dns.changes.create
/roles/dns.reader or /roles/viewer* dns.changes.get

* /roles/owner, /roles/editor, and /roles/viewer roles include permissions for other Google Cloud Platform services as well. For more information see Primitive roles.

Access Control via the GCP Console

You can use the GCP Console to manage access control for your topics and projects.

To set access controls at the project level:

  1. Open the IAM page in the Google Cloud Platform Console.
  2. Select your project from the top pull-down menu.
  3. Click Add.
  4. Enter the email address of a new member.
  5. Select the desired role from the drop-down menu.
    • For an administrator role (/roles/dns.admin), select DNS > DNS Administrator.
    • For reader-only role (/roles/dns.reader), select DNS > DNS Reader.
  6. Click Add.
  7. Verify that the member is listed with the role that you granted.

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...