Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud DNS API roles. For a detailed description of IAM, see the Identity and Access Management documentation.
IAM lets you adopt the security principle of least privilege so that you grant only the necessary access to your resources.
IAM lets you control who has what permissions to which
resources by setting IAM policies. IAM policies grant
specific roles to a user, giving the user certain permissions. For example, a
particular user might need to create and modify Domain Name System (DNS) record
resources. You would then give that user (who) the /roles/dns.admin
role, which
has the dns.changes.create
and dns.resourceRecordSets.create
permissions
(what) so that they can create and update resource record sets (which). On the
other hand, a support department may only need to view existing resource
record sets, so they would get a /roles/dns.reader
role.
Cloud DNS supports IAM permissions at the project level and individual DNS zone level (available in Preview). The default permission is at the project level. To configure permissions at the individual DNS zone (or resource) level, see Create a zone with specific IAM permissions.
Permissions and roles
Every Cloud DNS API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the basic roles Owner, Editor, and Viewer, you can grant Cloud DNS API roles to the users of your project.
Permissions
The following table lists the permissions that the caller must have to call each method.
Method | Required permission(s) |
---|---|
dns.changes.create
for creating a resource record set. |
dns.changes.create and dns.resourceRecordSets.create
on the project containing the record set. |
dns.changes.create
for updating a resource record set. |
dns.changes.create and dns.resourceRecordSets.update
on the project containing the record set. |
dns.changes.create
for deleting a resource record set. |
dns.changes.create and dns.resourceRecordSets.delete
on the project containing the record set. |
dns.changes.get |
dns.changes.get for the project containing the managed zone. |
dns.changes.list |
dns.changes.list for the project containing the managed zone. |
dns.dnsKeys.get |
dns.dnsKeys.get for the project containing the managed zone. |
dns.dnsKeys.list |
dns.dnsKeys.list for the project containing the managed zone. |
dns.managedZoneOperations.get |
dns.managedZoneOperations.get for the project containing the managed zone. |
dns.managedZoneOperations.list |
dns.managedZoneOperations.list for the project containing the managed zone. |
dns.managedZones.create |
dns.managedZones.create for the project containing the
managed zone.If creating a private zone, you also need
If creating a private zone with GKE integration, you also need |
dns.managedZones.delete |
dns.managedZones.delete for the project containing the managed zone. |
dns.managedZones.get |
dns.managedZones.get for the project containing the managed zone. |
dns.managedZones.list |
dns.managedZones.list for the project containing the
managed zone. |
dns.managedZones.update |
dns.managedZones.update for the project containing the
managed zone.
If creating a private zone, you also need
If binding a private zone with a GKE cluster, you also need
|
dns.policies.create |
dns.policies.create for the project containing the policy.
If the policy is created on a VPC network, you also need
|
dns.policies.delete |
dns.policies.delete for the project containing the policy. |
dns.policies.get |
dns.policies.get for the project containing the policy. |
dns.policies.list |
dns.policies.list for the project containing the policy. |
dns.policies.update |
dns.policies.update for the project containing the policy.
If the policy is updated to be on a VPC network, you also
need |
dns.policies.update |
dns.policies.update for the project containing the policy. |
dns.projects.get |
dns.projects.get for the project. |
dns.resourceRecordSets.create |
dns.resourceRecordSets.create for the project containing the
record set. |
dns.resourceRecordSets.delete |
dns.resourceRecordSets.delete for the project containing the
record set. |
dns.resourceRecordSets.get |
dns.resourceRecordSets.get for the project containing the
record set. |
dns.resourceRecordSets.list |
dns.resourceRecordSets.list for the project containing the
managed zone. |
dns.resourceRecordSets.update |
dns.resourceRecordSets.update for the project containing the
record set. |
dns.responsePolicies.create |
dns.responsePolicies.create for the project containing the
response policy.
You also need
If you want to create a response policy attached to a GKE cluster, you need
|
dns.responsePolicies.delete |
dns.responsePolicies.delete for the project containing the
response policy. |
dns.responsePolicies.get |
dns.responsePolicies.get for the project containing the
response policy. |
dns.responsePolicies.list |
dns.responsePolicies.list for the project. |
dns.responsePolicies.update |
dns.responsePolicies.update for the project containing the
response policy.
You also need
If you want to create a response policy attached to a GKE cluster, you need
|
dns.responsePolicyRules.create |
dns.responsePolicyRules.create for the project containing the
response policy rule. |
dns.responsePolicyRules.delete |
dns.responsePolicyRules.delete for the project containing the
response policy rule. |
dns.responsePolicyRules.get |
dns.responsePolicyRules.get for the project containing the
response policy rule. |
dns.responsePolicyRules.list |
dns.responsePolicyRules.list for the project containing the
response policy. |
dns.responsePolicyRules.update |
dns.responsePolicyRules.update for the project containing the
response policy rule. |
Roles
The following table lists the Cloud DNS API IAM roles with a corresponding list of all the permissions that each role includes. Every permission is applicable to a particular resource type.
You can also use basic roles to make DNS changes.
Role | Permissions |
---|---|
DNS Administrator( Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
compute.networks.get compute.networks.list dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.*
dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get resourcemanager.projects.list |
DNS Peer( Access to target networks with DNS peering zones |
dns. |
DNS Reader( Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.get dns.resourceRecordSets.get dns.resourceRecordSets.list dns.responsePolicies.get dns.responsePolicies.list dns.responsePolicyRules.get dns.responsePolicyRules.list resourcemanager.projects.get resourcemanager.projects.list |
Manage access control
You can use the Google Cloud console to manage access control for your topics and projects.
To set access controls at the project level, follow these steps.
Console
In the Google Cloud console, go to the IAM page.
Select your project from the top pull-down menu.
Click Add.
In New principals, enter the email address of a new principal.
Select the desired role from the drop-down menu.
Click Save.
Verify that the principal is listed with the role that you granted.
What's next
- To get started using Cloud DNS, see Quickstart: Set up DNS records for a domain name with Cloud DNS.
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting.