Roles and permissions

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud DNS API roles. For a detailed description of IAM, see the Identity and Access Management documentation.

IAM lets you adopt the security principle of least privilege so that you grant only the necessary access to your resources.

IAM lets you control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to a user, giving the user certain permissions. For example, a particular user might need to create and modify Domain Name System (DNS) record resources. You would then give that user (who) the /roles/dns.admin role, which has the dns.changes.create and dns.resourceRecordSets.create permissions (what) so that they can create and update resource record sets (which). On the other hand, a support department may only need to view existing resource record sets, so they would get a /roles/dns.reader role.

Cloud DNS supports IAM permissions at the project level and individual DNS zone level (available in Preview). The default permission is at the project level. To configure permissions at the individual DNS zone (or resource) level, see Create a zone with specific IAM permissions.

Permissions and roles

Every Cloud DNS API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the basic roles Owner, Editor, and Viewer, you can grant Cloud DNS API roles to the users of your project.

Permissions

The following table lists the permissions that the caller must have to call each method.

Method Required permission(s)
dns.changes.create for creating a resource record set. dns.changes.create and dns.resourceRecordSets.create on the project containing the record set.
dns.changes.create for updating a resource record set. dns.changes.create and dns.resourceRecordSets.update on the project containing the record set.
dns.changes.create for deleting a resource record set. dns.changes.create and dns.resourceRecordSets.delete on the project containing the record set.
dns.changes.get dns.changes.get for the project containing the managed zone.
dns.changes.list dns.changes.list for the project containing the managed zone.
dns.dnsKeys.get dns.dnsKeys.get for the project containing the managed zone.
dns.dnsKeys.list dns.dnsKeys.list for the project containing the managed zone.
dns.managedZoneOperations.get dns.managedZoneOperations.get for the project containing the managed zone.
dns.managedZoneOperations.list dns.managedZoneOperations.list for the project containing the managed zone.
dns.managedZones.create dns.managedZones.create for the project containing the managed zone.

If creating a private zone, you also need dns.networks.bindPrivateDNSZone and dns.networks.targetWithPeeringZone for each project containing each VPC network that you authorize to access the zone.

If creating a private zone with GKE integration, you also need dns.gkeClusters.bindPrivateDNSZone for each GKE cluster that you authorize to access the zone.
dns.managedZones.delete dns.managedZones.delete for the project containing the managed zone.
dns.managedZones.get dns.managedZones.get for the project containing the managed zone.
dns.managedZones.list dns.managedZones.list for the project containing the managed zone.
dns.managedZones.update dns.managedZones.update for the project containing the managed zone.

If creating a private zone, you also need dns.networks.bindPrivateDNSZone and dns.networks.targetWithPeeringZone for each project containing each VPC network that you authorize to access the zone.

If binding a private zone with a GKE cluster, you also need dns.gkeClusters.bindPrivateDNSZone for each GKE cluster that you authorize to access the zone.
dns.policies.create dns.policies.create for the project containing the policy.

If the policy is created on a VPC network, you also need dns.networks.bindPrivateDNSPolicy for each project containing each VPC network.
dns.policies.delete dns.policies.delete for the project containing the policy.
dns.policies.get dns.policies.get for the project containing the policy.
dns.policies.list dns.policies.list for the project containing the policy.
dns.policies.update dns.policies.update for the project containing the policy.

If the policy is updated to be on a VPC network, you also need dns.networks.bindPrivateDNSPolicy for each project containing each VPC network.
dns.policies.update dns.policies.update for the project containing the policy.
dns.projects.get dns.projects.get for the project.
dns.resourceRecordSets.create dns.resourceRecordSets.create for the project containing the record set.
dns.resourceRecordSets.delete dns.resourceRecordSets.delete for the project containing the record set.
dns.resourceRecordSets.get dns.resourceRecordSets.get for the project containing the record set.
dns.resourceRecordSets.list dns.resourceRecordSets.list for the project containing the managed zone.
dns.resourceRecordSets.update dns.resourceRecordSets.update for the project containing the record set.
dns.responsePolicies.create dns.responsePolicies.create for the project containing the response policy.

You also need dns.networks.bindDNSResponsePolicy to validate the request.

If you want to create a response policy attached to a GKE cluster, you need dns.gkeClusters.bindDNSResponsePolicy.

dns.responsePolicies.delete dns.responsePolicies.delete for the project containing the response policy.
dns.responsePolicies.get dns.responsePolicies.get for the project containing the response policy.
dns.responsePolicies.list dns.responsePolicies.list for the project.
dns.responsePolicies.update dns.responsePolicies.update for the project containing the response policy.

You also need dns.networks.bindDNSResponsePolicy to validate the request.

If you want to create a response policy attached to a GKE cluster, you need dns.gkeClusters.bindDNSResponsePolicy.
dns.responsePolicyRules.create dns.responsePolicyRules.create for the project containing the response policy rule.
dns.responsePolicyRules.delete dns.responsePolicyRules.delete for the project containing the response policy rule.
dns.responsePolicyRules.get dns.responsePolicyRules.get for the project containing the response policy rule.
dns.responsePolicyRules.list dns.responsePolicyRules.list for the project containing the response policy.
dns.responsePolicyRules.update dns.responsePolicyRules.update for the project containing the response policy rule.

Roles

The following table lists the Cloud DNS API IAM roles with a corresponding list of all the permissions that each role includes. Every permission is applicable to a particular resource type.

You can also use basic roles to make DNS changes.

Role Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.gkeClusters.*

  • dns.gkeClusters.bindDNSResponsePolicy
  • dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
  • dns.networks.useHealthSignals

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Manage access control

You can use the Google Cloud console to manage access control for your topics and projects.

To set access controls at the project level, follow these steps.

Console

  1. In the Google Cloud console, go to the IAM page.

    Go to the IAM page

  2. Select your project from the top pull-down menu.

  3. Click Add.

  4. In New principals, enter the email address of a new principal.

  5. Select the desired role from the drop-down menu.

  6. Click Save.

  7. Verify that the principal is listed with the role that you granted.

What's next