Configuring DNS zone access permissions

Written by

Yandex Cloud

Updated at October 30, 2024

Assigning a role
Assigning multiple roles
Revoking a role

To grant a user, group, or service account access to a DNS zone, assign a role for it.

Assigning a role

CLI

Terraform

API

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View the CLI command description for assigning a role for a DNS zone:
```
yc dns zone add-access-binding --help
```
Get a list of DNS zones in the default folder:
```
yc dns zone list
```
View the list of roles already assigned for the resource:
```
yc dns zone list-access-bindings <zone_ID>
```
Assign the role using the command:
- To a user:
```
yc dns zone add-access-binding <zone_ID> \
  --user-account-id <user_ID> \
  --role <role>
```
  Where:
  - --user-account-id: User ID. To assign a role to all authenticated users, use the --all-authenticated-users flag.
  - --role: Role to assign.
- To a service account:
```
yc dns zone add-access-binding <zone_ID> \
  --service-account-id <service_account_ID> \
  --role <role>
```
  Where:
  - --service-account-id is the service account ID.
  - --role: Role to assign.

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To assign a role for a DNS zone using Terraform:

In the Terraform configuration file, describe the parameters of the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "zone-viewers" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role to assign.
- members: List of types and IDs of subjects the roles are assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about the yandex_dns_zone_iam_binding resource parameters, see the provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
Terraform will create all the required resources. You can check the new resources using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID in the subject property.

Assigning multiple roles

CLI

Terraform

API

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-binding method completely rewrites access permissions for the resource! All current resource roles will be deleted.

Make sure the resource has no roles assigned that you would not want to lose:
```
yc dns zone list-access-bindings <zone_ID>
```
View the CLI command description for assigning roles for a DNS zone:
```
yc dns zone set-access-bindings --help
```

Assign roles:

yc dns zone set-access-bindings <zone_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

Where:

--access-binding: Parameters for setting access permissions:
- role: Role to assign.
- subject: Type and ID of the subject getting the role.

For example, assign the dns.editor roles to multiple users and a service account:

yc dns zone set-access-bindings my-disk-group \
  --access-binding role=dns.editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=dns.editor,subject=serviceAccount:ajel6l0jcb9s********

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To assign multiple roles for a DNS zone using Terraform:

In the Terraform configuration file, describe the parameters of the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "role1" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_1>"
  members     = ["<subject_type>:<subject_ID>"]
}

resource "yandex_dns_zone_iam_binding" "role2" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_2>"
  members     = ["<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role to assign.
- members: List of types and IDs of subjects the roles are assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about the yandex_dns_zone_iam_binding resource parameters, see the provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
You can check the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign roles for a resource, use the setAccessBindings REST API method for the DnsZone resource or the DnsZoneService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method and the DnsZoneService/SetAccessBindings call completely overwrite access permissions for the resource. All current resource roles will be deleted.

Revoking a role

CLI

Terraform

API

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View the CLI command description for revoking a role for a DNS zone:
```
yc dns zone add-access-binding --help
```
View the list of roles already assigned for the resource:
```
yc dns zone list-access-bindings <zone_ID>
```
To revoke access permissions, run this command:
```
yc dns zone remove-access-binding <zone_ID> \
  --role=<role> \
  --subject=<subject_type>:<subject_ID> \
```
Where:
- --role: ID of the role to revoke.
- --subject: Type and ID of the subject to revoke the role from.
For example, to revoke the dns.editor role for a DNS zone from a user with the ajel6l0jcb9s******** ID:
```
yc dns zone remove-access-binding my-dns-zone \
  --role dns.editor \
  --subject userAccount:ajel6l0jcb9s********
```

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To revoke a role assigned for a DNS zone using Terraform:

Open the Terraform configuration file and delete the fragment with the role description.

...
resource "yandex_dns_zone_iam_binding" "sa-role" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>"]
}

Apply the changes:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
You can check the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To revoke a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID in the subject property.

Configuring DNS zone access permissions

Assigning a roleAssigning a role

Assigning multiple rolesAssigning multiple roles

Revoking a roleRevoking a role

Was the article helpful?

Assigning a role

Assigning multiple roles

Revoking a role