6

is there a way to have Google Cloud IAM Service account restricted to only one zone in Coud DNS? I want to use this for automatic ACME DNS-01 certificate issuing, but I do not want to add full control of all domains/zones. I tried to set Condition to Service account, but it did not work - zone names are probably not resources?

service account condition

Docs says that lowest resource is Project, so only possibility to have acme challenge secured is to have separate Project with own service account for that domain? https://cloud.google.com/dns/docs/access-control

Roman
  • 81
  • 4
  • Using project separation is the only method I can think of. You can host the root zone (example.com) with a DNS server in project A. Then create another DNS server in project B which hosts a child zone (myapi.example.com). Point the DNS server child zone to the DNS server in Project B using NS (name server) resource records. Neither project needs rights to the other project. You are just using DNS to provide isolation and this is how the entire Internet is designed. – John Hanley Jan 19 '21 at 21:08

1 Answers1

7

If you have a look to the Cloud DNS API, you can see that no API path contains a getIamPolicy or a setIamPolicy. This indicate that you can't define IAM permission at the resource level, but only at the project level: access or not to the whole API.

Thus you can't restrict the management of a zone to a dedicated service account. However, you can create another project and perform a DNS Peering on the manage zone that you want, and grant only the service account on this project.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • I think if you're doing only public zones, peering is not necessary. You can just use the delegated domains feature of cert-manager. – Cedric Meury Feb 07 '23 at 15:53