Manage GCP Cloud DNS IAM Bindings

The gcp:dns/dnsManagedZoneIamBinding:DnsManagedZoneIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud DNS managed zones, controlling which identities can view or modify DNS records. This guide focuses on two capabilities: authoritative role assignment to multiple members and non-authoritative single-member additions.

IAM bindings reference existing managed zones and require a GCP project with the DNS API enabled. The examples are intentionally small. Combine them with your own managed zone resources and identity management.

Grant a role to multiple members at once

Teams managing DNS zones often need to grant the same role to multiple users or service accounts simultaneously, such as giving viewer access to an operations team.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.dns.DnsManagedZoneIamBinding("binding", {
    project: _default.project,
    managedZone: _default.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.dns.DnsManagedZoneIamBinding("binding",
    project=default["project"],
    managed_zone=default["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dns"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dns.NewDnsManagedZoneIamBinding(ctx, "binding", &dns.DnsManagedZoneIamBindingArgs{
			Project:     pulumi.Any(_default.Project),
			ManagedZone: pulumi.Any(_default.Name),
			Role:        pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Dns.DnsManagedZoneIamBinding("binding", new()
    {
        Project = @default.Project,
        ManagedZone = @default.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.DnsManagedZoneIamBinding;
import com.pulumi.gcp.dns.DnsManagedZoneIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new DnsManagedZoneIamBinding("binding", DnsManagedZoneIamBindingArgs.builder()
            .project(default_.project())
            .managedZone(default_.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:dns:DnsManagedZoneIamBinding
    properties:
      project: ${default.project}
      managedZone: ${default.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The binding resource is authoritative for the specified role: it replaces any existing members for that role on the managed zone. The members array accepts various identity formats including user emails, service accounts, groups, and special identifiers like allUsers. The managedZone property references the zone by name, and role specifies the IAM role to grant.

Add a single member to a role incrementally

When onboarding individual users or service accounts, teams often add them one at a time without affecting existing role assignments.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.dns.DnsManagedZoneIamMember("member", {
    project: _default.project,
    managedZone: _default.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.dns.DnsManagedZoneIamMember("member",
    project=default["project"],
    managed_zone=default["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dns"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := dns.NewDnsManagedZoneIamMember(ctx, "member", &dns.DnsManagedZoneIamMemberArgs{
			Project:     pulumi.Any(_default.Project),
			ManagedZone: pulumi.Any(_default.Name),
			Role:        pulumi.String("roles/viewer"),
			Member:      pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Dns.DnsManagedZoneIamMember("member", new()
    {
        Project = @default.Project,
        ManagedZone = @default.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.DnsManagedZoneIamMember;
import com.pulumi.gcp.dns.DnsManagedZoneIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new DnsManagedZoneIamMember("member", DnsManagedZoneIamMemberArgs.builder()
            .project(default_.project())
            .managedZone(default_.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:dns:DnsManagedZoneIamMember
    properties:
      project: ${default.project}
      managedZone: ${default.name}
      role: roles/viewer
      member: user:jane@example.com

The DnsManagedZoneIamMember resource is non-authoritative: it adds a single member to a role without replacing other members who already have that role. This approach works well for incremental access grants. Use member (singular) instead of members (plural) to specify the identity. You can combine multiple DnsManagedZoneIamMember resources for the same role, or mix them with DnsManagedZoneIamBinding resources as long as they target different roles.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Cloud DNS managed zones and a GCP project with the DNS API enabled. They focus on configuring IAM bindings rather than provisioning the zones themselves.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Policy-level management (DnsManagedZoneIamPolicy)
Custom role definitions
Federated identity configuration

These omissions are intentional: the goal is to illustrate how each binding approach is wired, not provide drop-in access control modules. See the DNS Managed Zone IAM Binding resource reference for all available configuration options.

Let's manage GCP Cloud DNS IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

Which IAM resource should I use for managing DNS managed zone permissions?

You have three options:

gcp.dns.DnsManagedZoneIamPolicy - Authoritative. Replaces the entire IAM policy for the managed zone.
gcp.dns.DnsManagedZoneIamBinding - Authoritative for a specific role. Grants a role to a list of members while preserving other roles.
gcp.dns.DnsManagedZoneIamMember - Non-authoritative. Adds a single member to a role while preserving other members.

Why am I seeing IAM policy conflicts or unexpected permission changes?

gcp.dns.DnsManagedZoneIamPolicy cannot be used with gcp.dns.DnsManagedZoneIamBinding or gcp.dns.DnsManagedZoneIamMember, as they will fight over the policy. Additionally, gcp.dns.DnsManagedZoneIamBinding and gcp.dns.DnsManagedZoneIamMember can only be used together if they manage different roles.

Configuration & Identity Formats

What member identity formats are supported?

The members property accepts multiple formats:

allUsers - Anyone on the internet
allAuthenticatedUsers - Anyone with a Google account
user:{emailid} - Specific Google account (e.g., user:alice@gmail.com)
serviceAccount:{emailid} - Service account (e.g., serviceAccount:my-app@appspot.gserviceaccount.com)
group:{emailid} - Google group (e.g., group:admins@example.com)
domain:{domain} - G Suite domain (e.g., domain:example.com)
projectOwner:projectid, projectEditor:projectid, projectViewer:projectid - Project-level roles
Federated identities - Workload/workforce identity pools (e.g., principal://iam.googleapis.com/locations/global/workforcePools/...)

How do I specify custom IAM roles?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

Immutability & Limitations

What properties can't be changed after creating the IAM binding?

The following properties are immutable: managedZone, project, role, and condition. Changing any of these requires recreating the resource.

Can I have multiple DnsManagedZoneIamBinding resources for the same role?

No, only one gcp.dns.DnsManagedZoneIamBinding can be used per role. If you need to add members to an existing role binding, use gcp.dns.DnsManagedZoneIamMember instead (as long as they manage different roles).

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides