Skip to content
Documentation
DNS
Access control

DNS access control (IAM)

DNS uses two IAM resources: dns_zone and dns_record.

Built-in policies

Policy nameSlugTypical use
dns:ReadAccessdns-read-accessView zones and records
dns:FullAccessdns-full-accessCreate, update, and delete zones and records

See DNS default policies for the full permission matrix.

Record operations require permissions on both the zone and the record. Bind policies via organisation roles or project IAM policies.

The built-in admin:all policy grants full DNS access implicitly.

Permission reference

ResourceTypical permissionsOperations
dns_zoneread, listList and view zones; read DNSSEC status
dns_zonecreate, update, deleteCreate, update, or delete zones; enable or disable DNSSEC
dns_recordread, listList and view records in a zone
dns_recordcreate, update, deleteCreate, update, or delete records

Related documentation

DNSSECAPI reference