Manage GCP Cloud DNS IAM Bindings

The gcp:dns/dnsManagedZoneIamBinding:DnsManagedZoneIamBinding resource, part of the Pulumi GCP provider, grants IAM roles to members for a Cloud DNS managed zone, controlling who can view or modify DNS records. This guide focuses on two capabilities: authoritative role assignment to multiple members and non-authoritative single-member additions.

This resource manages access to existing managed zones. The examples are intentionally small. Combine them with your own managed zone resources and identity management workflows.

Grant a role to multiple members at once

Teams managing DNS zones often need to grant the same role to multiple users or service accounts simultaneously, such as giving viewer access to an operations team.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.dns.DnsManagedZoneIamBinding("binding", {
    project: _default.project,
    managedZone: _default.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.dns.DnsManagedZoneIamBinding("binding",
    project=default["project"],
    managed_zone=default["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dns"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dns.NewDnsManagedZoneIamBinding(ctx, "binding", &dns.DnsManagedZoneIamBindingArgs{
			Project:     pulumi.Any(_default.Project),
			ManagedZone: pulumi.Any(_default.Name),
			Role:        pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Dns.DnsManagedZoneIamBinding("binding", new()
    {
        Project = @default.Project,
        ManagedZone = @default.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.DnsManagedZoneIamBinding;
import com.pulumi.gcp.dns.DnsManagedZoneIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new DnsManagedZoneIamBinding("binding", DnsManagedZoneIamBindingArgs.builder()
            .project(default_.project())
            .managedZone(default_.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:dns:DnsManagedZoneIamBinding
    properties:
      project: ${default.project}
      managedZone: ${default.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The DnsManagedZoneIamBinding resource is authoritative for the specified role. The members array lists all identities that should have the role; any existing members not in this list will be removed. The managedZone property identifies which DNS zone to grant access to, and role specifies the permission level (e.g., roles/viewer for read-only access).

Add a single member to a role incrementally

When onboarding individual users or service accounts, teams often add them one at a time without affecting existing members who already have the role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.dns.DnsManagedZoneIamMember("member", {
    project: _default.project,
    managedZone: _default.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.dns.DnsManagedZoneIamMember("member",
    project=default["project"],
    managed_zone=default["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dns"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dns.NewDnsManagedZoneIamMember(ctx, "member", &dns.DnsManagedZoneIamMemberArgs{
			Project:     pulumi.Any(_default.Project),
			ManagedZone: pulumi.Any(_default.Name),
			Role:        pulumi.String("roles/viewer"),
			Member:      pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Dns.DnsManagedZoneIamMember("member", new()
    {
        Project = @default.Project,
        ManagedZone = @default.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.DnsManagedZoneIamMember;
import com.pulumi.gcp.dns.DnsManagedZoneIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new DnsManagedZoneIamMember("member", DnsManagedZoneIamMemberArgs.builder()
            .project(default_.project())
            .managedZone(default_.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:dns:DnsManagedZoneIamMember
    properties:
      project: ${default.project}
      managedZone: ${default.name}
      role: roles/viewer
      member: user:jane@example.com

The DnsManagedZoneIamMember resource is non-authoritative. It adds a single member to a role without removing other members who already have that role. This approach works well for incremental access grants and can coexist with other DnsManagedZoneIamMember resources targeting the same role. Use member (singular) instead of members (plural) to specify the identity.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control policies.

The examples assume pre-existing infrastructure such as Cloud DNS managed zones and a GCP project with the DNS API enabled. They focus on configuring access rather than provisioning zones or DNS records.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Policy-level management (DnsManagedZoneIamPolicy)
  • Custom role definitions
  • Federated identity configuration

These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the DNS Managed Zone IAM Binding resource reference for all available configuration options.

Let's manage GCP Cloud DNS IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Conflicts & Compatibility
Can I use DnsManagedZoneIamPolicy with DnsManagedZoneIamBinding or DnsManagedZoneIamMember?
No, gcp.dns.DnsManagedZoneIamPolicy cannot be used with gcp.dns.DnsManagedZoneIamBinding or gcp.dns.DnsManagedZoneIamMember because they will conflict over the policy configuration.
Can I use DnsManagedZoneIamBinding and DnsManagedZoneIamMember together?
Yes, but only if they don’t grant privileges to the same role. Each role must be managed by only one resource type.
What's the difference between DnsManagedZoneIamPolicy, DnsManagedZoneIamBinding, and DnsManagedZoneIamMember?
gcp.dns.DnsManagedZoneIamPolicy is authoritative and replaces the entire IAM policy. gcp.dns.DnsManagedZoneIamBinding is authoritative for a specific role but preserves other roles. gcp.dns.DnsManagedZoneIamMember is non-authoritative and adds a single member while preserving other members for that role.
IAM Configuration
How do I specify a custom IAM role?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/customDnsRole or organizations/my-org/roles/customDnsRole.
What member identity formats are supported?

The members property supports multiple formats:

  • allUsers or allAuthenticatedUsers for public/authenticated access
  • user:{email} for specific Google accounts
  • serviceAccount:{email} for service accounts
  • group:{email} for Google groups
  • domain:{domain} for G Suite domains
  • projectOwner:projectid, projectEditor:projectid, or projectViewer:projectid for project-level roles
  • Federated identities using principal:// format for workload/workforce identity pools
Resource Management
What properties can't I change after creating the binding?
The managedZone, project, role, and condition properties are immutable and cannot be changed after creation.
How do I import an existing IAM binding?
Use space-delimited identifiers with the resource path and role: pulumi import gcp:dns/dnsManagedZoneIamBinding:DnsManagedZoneIamBinding editor "projects/{{project}}/managedZones/{{managed_zone}} roles/viewer". The resource identifier can also use shorter forms like {{project}}/{{managed_zone}} or just {{managed_zone}}.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides