Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Cloud DNS API roles. For a detailed description of Cloud IAM, read the IAM documentation.
IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who has what permissions to
which resources by setting IAM policies. IAM policies grant
specific roles to a user, giving the user certain
permissions. For example, a particular user might need to create and modify
DNS record resources. So, you would give that user (who) the
role, which has the
dns.resourceRecordSets.create permissions (what), so they can
create and update resource record sets (which). On the
other hand, a support department may only need to view existing resource
records sets, so they would get a
Permissions and Roles
Every Cloud DNS API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the primitive roles owner, editor, and viewer, you can grant Cloud DNS API roles to the users of your project.
The following table lists the permissions that the caller must have to call each method:
|dns.changes.create for creating a resource record set||
|dns.changes.create for updating a resource record set||
|dns.changes.create for deleting a resource record set||
The following table lists the Cloud DNS API IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
DNS changes can also be made using primitive roles.
Access Control via the GCP Console
You can use the GCP Console to manage access control for your topics and projects.
To set access controls at the project level:
- Open the IAM page in the Google Cloud Platform Console.
- Select your project from the top pull-down menu.
- Click Add.
- Enter the email address of a new member.
- Select the desired role from the drop-down menu.
- Click Add.
- Verify that the member is listed with the role that you granted.