The gcp:dns/dnsManagedZoneIamMember:DnsManagedZoneIamMember resource, part of the Pulumi GCP provider, grants IAM permissions to individual members for Cloud DNS managed zones without affecting other role assignments. This resource is non-authoritative, meaning it adds a single member to a role without removing existing members. This guide focuses on adding individual members to managed zone IAM policies.
This resource references existing managed zones and requires the DNS API enabled in your project. The example is intentionally small. Combine it with your own managed zone resources and identity management.
Grant a single user access to a managed zone
Most IAM configurations start by granting individual users or service accounts access to specific resources without affecting other permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.dns.DnsManagedZoneIamMember("member", {
project: _default.project,
managedZone: _default.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.dns.DnsManagedZoneIamMember("member",
project=default["project"],
managed_zone=default["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/dns"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dns.NewDnsManagedZoneIamMember(ctx, "member", &dns.DnsManagedZoneIamMemberArgs{
Project: pulumi.Any(_default.Project),
ManagedZone: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Dns.DnsManagedZoneIamMember("member", new()
{
Project = @default.Project,
ManagedZone = @default.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.dns.DnsManagedZoneIamMember;
import com.pulumi.gcp.dns.DnsManagedZoneIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new DnsManagedZoneIamMember("member", DnsManagedZoneIamMemberArgs.builder()
.project(default_.project())
.managedZone(default_.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:dns:DnsManagedZoneIamMember
properties:
project: ${default.project}
managedZone: ${default.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity to grant access, using formats like “user:email@example.com” for users or “serviceAccount:name@project.iam.gserviceaccount.com” for service accounts. The role property defines the permission level (e.g., “roles/viewer” for read-only access). The managedZone property identifies which DNS zone to grant access to. This resource is non-authoritative: it adds this member to the role without removing other members who already have the same role.
Beyond these examples
This snippet focuses on single-member IAM grants. It’s intentionally minimal rather than a complete access control solution.
The example references pre-existing infrastructure such as Cloud DNS managed zones and a GCP project with DNS API enabled. It focuses on configuring IAM membership rather than provisioning the managed zone itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Multiple members per role (use DnsManagedZoneIamBinding)
- Complete policy replacement (use DnsManagedZoneIamPolicy)
- Service account and group identities
These omissions are intentional: the goal is to illustrate how IAM member grants are wired, not provide drop-in access control modules. See the DnsManagedZoneIamMember resource reference for all available configuration options.
Let's manage GCP Cloud DNS IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
DnsManagedZoneIamPolicy cannot be used with DnsManagedZoneIamBinding or DnsManagedZoneIamMember because they’ll fight over the policy. Additionally, DnsManagedZoneIamBinding and DnsManagedZoneIamMember can only be used together if they target different roles.Choose based on your management approach:
DnsManagedZoneIamPolicy- Authoritative, replaces the entire IAM policyDnsManagedZoneIamBinding- Authoritative for a specific role, preserves other rolesDnsManagedZoneIamMember- Non-authoritative, adds a single member while preserving others for the role
Configuration & Identity Formats
The member property supports multiple formats:
allUsers- Anyone on the internetallAuthenticatedUsers- Anyone with a Google accountuser:{email}- Specific Google account (e.g.,user:alice@gmail.com)serviceAccount:{email}- Service account (e.g.,serviceAccount:my-app@appspot.gserviceaccount.com)group:{email}- Google group (e.g.,group:admins@example.com)domain:{domain}- G Suite domain (e.g.,domain:example.com)projectOwner/Editor/Viewer:{projectid}- Project-level roles- Federated identities - Workload/workforce identity pool principals
[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/my-custom-role).Immutability & Lifecycle
managedZone, member, role, project, and condition. Changing any of these requires recreating the resource.