This page describes the Cloud Domains API roles and the access control options that are available to you in Cloud Domains.
Google Cloud offers Identity and Access Management (IAM), which enables you to give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM enables you to adopt the security principle of least privilege so that you grant only the necessary access to your resources. IAM enables you to control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to a user, which gives the user certain permissions.
For example, a particular user might need to create and modify
the contact settings for a domain, so you would give that user the
Cloud Domains Admin role (roles/domains.admin). On the other hand, a user
might need to only view existing resource domains, so they would get a
Cloud Domains Viewer role (roles/domains.viewer). For
Cloud Domains, you can configure both project-level and
resource-level access.
Following are some examples of permissions for the Viewer role:
- View all domains registered in a project.
- View registration details such as DNS or expiry time.
- Search domain availability and get registration parameters.
Following are some examples of permissions for the Admin role:
- Register a new domain.
- Update registration settings, including DNS settings and contact settings.
- Export or transfer the domain registration.
- Import a domain from Google Domains to Cloud Domains.
To understand role types, see the IAM basic and predefined roles reference.
Enable the Cloud Domains API
To view and assign Cloud Domains IAM roles, you must enable the Cloud Domains API for your project. You cannot see the Cloud Domains roles in the Google Cloud console until you enable the API.
For lists of the roles and permissions that Cloud Domains supports, see the following sections.
Roles
The following table lists the Cloud Domains API IAM roles with a corresponding list of all the permissions that each role includes. Each permission is applicable to a particular resource type. For more details about each permission, see the Permissions section.
| Role | Permissions |
|---|---|
Cloud Domains Admin( Full access to Cloud Domains Registrations and related resources. Contains 3 owner permissions |
domains.*
resourcemanager.projects.get resourcemanager.projects.list |
Cloud Domains Viewer( Read-only access to Cloud Domains Registrations and related resources. |
domains.locations.*
domains.operations.get domains.operations.list domains.registrations.get domains. domains.registrations.list domains. domains. resourcemanager.projects.get resourcemanager.projects.list |
Permissions
The following table lists the permissions that the caller must have to call each method.
| Method (locations.registrations.) | Description | Required permissions |
|---|---|---|
| searchDomains | Search for an available domain. | domains.registrations.list |
| retrieveRegisterParameters | Get parameters to register a new domain. | domains.registrations.list |
| register | Register a domain. | domains.registrations.create |
| retrieveTransferParameters | Get parameters to transfer a domain. | domains.registrations.list |
| transfer | Transfer a domain. | domains.registrations.create |
| list | List the registration resources in a project. | domains.registrations.list |
| get | Get the details of a registration resource. | domains.registrations.get |
| patch | Edit the details of a registration resource. | domains.registrations.update |
| configureManagementSettings | Configure the management settings of a registration resource. | domains.registrations.configureManagement |
| configureDnsSettings | Configure the DNS settings of a registration resource. | domains.registrations.configureDns |
| configureContactSettings | Configure the contact settings of a registration resource. | domains.registrations.configureContact |
| export | Export a domain. | domains.registrations.configureManagement |
| delete | Delete a domain. | domains.registrations.delete |
| retrieveAuthorizationCode | Retrieve the authorization code for a domain transfer. | domains.registrations.configureManagement |
| resetAuthorizationCode | Reset the authorization code for a domain transfer. | domains.registrations.configureManagement |
Access control using the Google Cloud console
You can use the Google Cloud console to manage access control for your projects.
For detailed instructions, see Manage access to projects, folders, and organizations.
What's next
- To get started using Cloud Domains, see the Quickstart.
- To improve the security of your Cloud Domains configuration, see VPC Service Controls support.
- To find solutions for common issues that you might encounter when using Cloud Domains, see Troubleshooting.