Cloud DNS roles and permissions

This page lists the IAM roles and permissions for Cloud DNS. Tosearch through all roles and permissions, see therole andpermission index.

Cloud DNS roles

RolePermissions

DNS Administrator

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.gkeClusters.*

  • dns.gkeClusters.bindDNSResponsePolicy
  • dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
  • dns.networks.useHealthSignals

dns.policies.*

  • dns.policies.create
  • dns.policies.createTagBinding
  • dns.policies.delete
  • dns.policies.deleteTagBinding
  • dns.policies.get
  • dns.policies.list
  • dns.policies.listEffectiveTags
  • dns.policies.listTagBindings
  • dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.policies.listEffectiveTags

dns.policies.listTagBindings

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud DNS Service Agent

(roles/dns.serviceAgent)

Gives Cloud DNS Service Agent access to Cloud Platform resources.

Warning: Do not grant service agent roles to any principals exceptservice agents.

compute.globalNetworkEndpointGroups.attachNetworkEndpoints

compute.globalNetworkEndpointGroups.create

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.detachNetworkEndpoints

compute.globalNetworkEndpointGroups.get

compute.globalOperations.get

compute.healthChecks.get

Cloud DNS permissions

PermissionIncluded in roles

dns.changes.create

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.changes.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.changes.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.dnsKeys.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.dnsKeys.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.gkeClusters.bindDNSResponsePolicy

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.gkeClusters.bindPrivateDNSZone

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZoneOperations.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZoneOperations.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.create

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.delete

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.getIamPolicy

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.managedZones.setIamPolicy

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

dns.managedZones.update

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.networks.bindDNSResponsePolicy

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.networks.bindPrivateDNSPolicy

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.networks.bindPrivateDNSZone

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.networks.targetWithPeeringZone

Owner (roles/owner)

Editor (roles/editor)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Peer (roles/dns.peer)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.networks.useHealthSignals

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.create

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.createTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.delete

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.deleteTagBinding

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Tag User (roles/resourcemanager.tagUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.listEffectiveTags

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.listTagBindings

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.policies.update

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.projects.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.resourceRecordSets.create

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.resourceRecordSets.delete

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.resourceRecordSets.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.resourceRecordSets.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.resourceRecordSets.update

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicies.create

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicies.delete

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicies.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicies.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicies.update

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicyRules.create

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicyRules.delete

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicyRules.get

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicyRules.list

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Network Administrator (roles/iam.networkAdmin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

dns.responsePolicyRules.update

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Network Administrator (roles/iam.networkAdmin)

Service agent roles

Warning: Don't grant service agent roles to any principals exceptservice agents.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.