Set and manage IAM policies for managed zones

This page provides instructions about how to set up specific read, write, or administrator Identity and Access Management (IAM) permissions for different managed zones under the same project.

For detailed information about IAM policies, see Understanding allow policies . For information about the IAM policy API, see Policy . To learn how to create IAM custom roles that you can use on your managed zones, see Understanding IAM custom roles .

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

dns.managedZones.setIamPolicy for the setIamPolicy method
dns.managedZones.getIamPolicy for the getIamPolicy method
dns.managedZones.list for the testIamPermission method

Roles

roles/iam.securityAdmin
roles/dns.admin

This procedure assumes that you have created a managed zone in a project. For instructions about how to create a managed zone, see Create, modify, and delete zones .

Set IAM policy for a managed zone

To set the IAM policy on a specific managed zone, follow these steps.

Console

In the Google Cloud console, go to the Cloud DNS zonespage.

Go to Cloud DNS zones
Select one or more zones for which you want to add access control permissions.
On the Permissions to resourcespage, click Add principal.
On the Grant access to resourcepage, under New principals, add the email address of the user, group, domain, or service account that you want to add as the new principal.
From the Assign roleslist, select the role that you want to assign to the principal.
To assign additional roles, click Add another role.
Click Save.

gcloud

Run the gcloud dns managed-zones set-iam-policy command :

gcloud dns managed-zones set-iam-policy NAME 
\
  --policy-file= POLICY-FILE

Replace the following:

NAME : the name of the managed zone for which you want to set the IAM permission
POLICY-FILE : the file that contains the IAM policy that you want to specify for the managed zone. For an example policy file, see Policy

If this command runs successfully, it returns the IAM policy. Otherwise it returns an error message specifying the error.

API

Send a POST request by using the managedZone.setIamPolicy method:

POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID 
/managedZones/ MANAGED_ZONE 
:setIamPolicy

Replace the following:

PROJECT_ID : the name or ID of the project
MANAGED_ZONE : the name of the managed zone for which you want to set the IAM permission

For detailed information on this API call, see Binding on the IAM Policy API page.

Get IAM policy for a managed zone

To get the IAM policy for a specific managed zone, follow these steps.

gcloud

Run the gcloud dns managed-zones get-iam-policy command :

gcloud dns managed-zones get-iam-policy NAME

Replace NAME with the name of the managed zone for which you want to get the IAM policy.

If this command runs successfully, it returns the IAM policy. Otherwise it returns an error message specifying the error.

API

Send a POST request by using the managedZone.getIamPolicy method:

POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID 
/managedZones/ ManagedZone 
:getIamPolicy

Replace the following:

PROJECT_ID : the name or ID of the project
MANAGED_ZONE : the name of the managed zone for which you want to set the IAM permission

Check IAM permissions for a managed zone

Send a POST request by using the managedZone.testIamPermissions method:

POST https://dns.googleapis.com/dns/v1/projects/ PROJECT_ID 
/managedZones/ ManagedZone 
:testIamPermissions

Replace the following:

PROJECT_ID : the name or ID of the project
MANAGED_ZONE : the name of the managed zone for which you want to check the IAM permission

What's next

To work with managed zones, see Create, modify, and delete zones .
To find solutions for common issues that you might encounter when using Cloud DNS, see Troubleshooting .
To get an overview of Cloud DNS, see Cloud DNS overview .