This page provides instructions about how to set up specific read, write, or administrator Identity and Access Management (IAM) permissions for different managed zones under the same project.
For detailed information about IAM policies, see Understanding
allow policies
. For information about the IAM
policy API, see Policy
. To learn how to
create IAM custom roles that you can use on your managed zones,
see Understanding IAM custom
roles
.
This procedure assumes that you have created a managed zone in a project. For instructions about how to create a managed zone, see Create, modify, and delete zones .
Set IAM policy for a managed zone
To set the IAM policy on a specific managed zone, follow these steps.
Console
-
In the Google Cloud console, go to the Cloud DNS zonespage.
-
Select one or more zones for which you want to add access control permissions.
-
On the Permissions to resourcespage, click Add principal.
-
On the Grant access to resourcepage, under New principals, add the email address of the user, group, domain, or service account that you want to add as the new principal.
-
From the Assign roleslist, select the role that you want to assign to the principal.
-
To assign additional roles, click Add another role.
-
Click Save.
gcloud
Run the gcloud dns managed-zones set-iam-policy
command
:
gcloud dns managed-zones set-iam-policy NAME \ --policy-file= POLICY-FILE
Replace the following:
-
NAME: the name of the managed zone for which you want to set the IAM permission -
POLICY-FILE: the file that contains the IAM policy that you want to specify for the managed zone. For an example policy file, see Policy
If this command runs successfully, it returns the IAM policy. Otherwise it returns an error message specifying the error.
API
Send a POST
request by using the managedZone.setIamPolicy
method:
POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ MANAGED_ZONE :setIamPolicy
Replace the following:
-
PROJECT_ID: the name or ID of the project -
MANAGED_ZONE: the name of the managed zone for which you want to set the IAM permission
For detailed information on this API call, see Binding
on the
IAM Policy
API page.
Grant access to specific resource record sets
Cloud DNS supports using IAM Conditions to provide granular access control for specific resource record sets (RRsets) within a managed zone.
Prerequisite: Create custom roles
Due to a temporary technical limitation, you cannot bind IAM conditions
directly to the roles/dns.admin
role. To use conditions, you must create two custom
roles to separate record set management from other administrative tasks.
-
Create a record set management role(for example,
DnsRecordSetAdmin) that contains the following permissions:-
dns.resourceRecordSets.create -
dns.resourceRecordSets.delete -
dns.resourceRecordSets.get -
dns.resourceRecordSets.update
-
-
Create a complementary role(for example,
DnsNonRecordSetAdmin) that contains all remaining permissionsfrom the standardroles/dns.adminrole. These additional permissions (such asdns.changes.createanddns.managedZones.get) are necessary for the overall administration of the zone and to satisfy prerequisite checks when modifying records.
Grant permissions
To ensure that your conditional policies work as expected, you must grant these roles to the principal as follows:
- Grant the complementary role unconditionally:Assign the role that contains
the remaining administrative permissions (for example,
DnsNonRecordSetAdmin) to the principal unconditionallyon the managed zone. - Grant the record set management role conditionally:Assign the role
that contains the record set permissions (for example,
DnsRecordSetAdmin) to the principal conditionallybased on your specific access requirements.
Example conditions
The following examples show how to restrict access using the resource.name
and resource.type
attributes.
- Exact Record Match:Grant permission to manage only the A record for
api.example.com..cel (resource.type == 'dns.googleapis.com/ResourceRecordSet' && resource.name.endsWith('/rrsets/api.example.com./A')) - Subdomain Delegation:Grant permission to manage all records within the
p.example.com.subdomain.cel (resource.type == 'dns.googleapis.com/ResourceRecordSet' && resource.name.extract('/rrsets/{name}/').endsWith('.p.example.com.')) - Manage All Records of a Specific Type:Grant permission to manage all
Arecords in the zone.cel (resource.type == 'dns.googleapis.com/ResourceRecordSet' && resource.name.endsWith('/A'))
Get IAM policy for a managed zone
To get the IAM policy for a specific managed zone, follow these steps.
gcloud
Run the gcloud dns managed-zones get-iam-policy
command
:
gcloud dns managed-zones get-iam-policy NAME
Replace NAME
with the name of the managed zone for which
you want to get the IAM policy.
If this command runs successfully, it returns the IAM policy. Otherwise it returns an error message specifying the error.
API
Send a POST
request by using the managedZone.getIamPolicy
method:
POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ ManagedZone :getIamPolicy
Replace the following:
-
PROJECT_ID: the name or ID of the project -
MANAGED_ZONE: the name of the managed zone for which you want to set the IAM permission
Check IAM permissions for a managed zone
Send a POST
request by using the managedZone.testIamPermissions
method:
POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID /managedZones/ ManagedZone :testIamPermissions
Replace the following:
-
PROJECT_ID: the name or ID of the project -
MANAGED_ZONE: the name of the managed zone for which you want to check the IAM permission
What's next
- To work with managed zones, see Create, modify, and delete zones .
- To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting .
- To get an overview of Cloud DNS, see Cloud DNS overview .
