Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Cloud DNS API roles. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to a user, giving the user certain permissions. For example, a particular user might need to create and modify DNS record resources. So, you would give that user (who) the /roles/dns.admin role, which has the dns.changes.create and dns.resourceRecordSets.create permissions (what), so they can create and update resource record sets (which). On the other hand, a support department may only need to view existing resource records sets, so they would get a /roles/dns.reader role.

Permissions and Roles

Every Cloud DNS API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the primitive roles owner, editor, and viewer, you can grant Cloud DNS API roles to the users of your project.

Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
dns.changes.create for creating a resource record set dns.changes.create and dns.resourceRecordSets.create on the project containing the record set
dns.changes.create for updating a resource record set dns.changes.create and dns.resourceRecordSets.update on the project containing the record set
dns.changes.create for deleting a resource record set dns.changes.create and dns.resourceRecordSets.delete on the project containing the record set
dns.changes.get dns.changes.get for the project containing the managed zone
dns.changes.list dns.changes.list for the project containing the managed zone
dns.dnsKeys.get dns.dnsKeys.get for the project containing the managed zone
dns.dnsKeys.list dns.dnsKeys.list for the project containing the managed zone
dns.managedZoneOperations.get dns.managedZoneOperations.get for the project containing the managed zone
dns.managedZoneOperations.list dns.managedZoneOperations.list for the project containing the managed zone
dns.managedZones.create dns.managedZones.create for the project containing the managed zone. If creating a private zone, you also need dns.networks.bindPrivateDNSZone and dns.networks.targetWithPeeringZone for each project containing each VPC network that you authorize to access the zone.
dns.managedZones.delete dns.managedZones.delete for the project containing the managed zone
dns.managedZones.get dns.managedZones.getfor the project containing the managed zone
dns.managedZones.list dns.managedZones.list for the project containing the managed zone
dns.managedZones.update dns.managedZones.update for the project containing the managed zone. If creating a private zone, you also need dns.networks.bindPrivateDNSZone and dns.networks.targetWithPeeringZone for each project containing each VPC network that you authorize to access the zone.
dns.policies.create dns.policies.create for the project containing the policy. If the policy is created on a VPC network, you also need dns.networks.bindPrivateDNSPolicy for each project containing each VPC network.
dns.policies.delete dns.policies.delete for the project containing the policy
dns.policies.get dns.policies.getfor the project containing the policy
dns.policies.list dns.policies.list for the project containing the policy
dns.policies.update dns.policies.update for the project containing the policy. If the policy is updated to be on a VPC network, you also need dns.networks.bindPrivateDNSPolicy for each project containing each VPC network.
dns.policies.patch dns.policies.patch for the project containing the policy
dns.projects.get dns.projects.get for the project
dns.resourceRecordSets.list dns.resourceRecordSets.list for the project containing the managed zone

Roles

The following table lists the Cloud DNS API IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

DNS changes can also be made using primitive roles.

Access Control via the Cloud Console

You can use the Cloud Console to manage access control for your topics and projects.

To set access controls at the project level:

  1. Open the IAM page in the Google Cloud Console.
  2. Select your project from the top pull-down menu.
  3. Click Add.
  4. Enter the email address of a new member.
  5. Select the desired role from the drop-down menu.
  6. Click Add.
  7. Verify that the member is listed with the role that you granted.

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud DNS Documentation