Configuring DNS zone access permissions

Written by

Yandex Cloud

Updated at June 9, 2025

Assigning a role
Assigning multiple roles
Revoking a role

Assign an appropriate role to a user, group, or service account to provide DNS zone access.

Assigning a role

CLI

Terraform

API

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

See the description of the CLI command for the DNS zone role assignment:
```
yc dns zone add-access-binding --help
```
Get a DNS zone list in the default folder:
```
yc dns zone list
```
Check currently assigned roles for the DNS zone you want to update:
```
yc dns zone list-access-bindings <zone_ID>
```
To assign the role, run the following command:
- Assigning the role to a user:
```
yc dns zone add-access-binding <zone_ID> \
  --user-account-id <user_ID> \
  --role <role>
```
  Where:
  - --user-account-id: User ID. To assign the role to all authenticated users, use the --all-authenticated-users flag.
  - --role: Role to assign.
- Assigning the role to a service account:
```
yc dns zone add-access-binding <zone_ID> \
  --service-account-id <service_account_ID> \
  --role <role>
```
  Where:
  - --service-account-id: Service account ID.
  - --role: Role to assign.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign a role for a DNS zone using Terraform, do the following:

In the Terraform configuration file, describe the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "zone-viewers" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role.
- members: Types and IDs of entities assigned the role. Use the following format: type:<ID>, e.g., userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about yandex_dns_zone_iam_binding resource properties, see the provider documentation.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all required resources. You can check the new resources using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.

Assigning multiple roles

CLI

Terraform

API

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-binding command completely rewrites access permissions for the resource! All roles previously assigned for this resource will be deleted.

Make sure the resource has no important roles assigned before proceeding:
```
yc dns zone list-access-bindings <zone_ID>
```
See the description of the CLI command for the DNS zone role assignment:
```
yc dns zone set-access-bindings --help
```

Assign roles:

yc dns zone set-access-bindings <zone_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

Where:

--access-binding: Access permission settings:
- role: Role.
- subject: Type and ID of the entity assigned the role.

For example, you can assign the dns.editor role to multiple users and a service account:

yc dns zone set-access-bindings my-disk-group \
  --access-binding role=dns.editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=dns.editor,subject=serviceAccount:ajel6l0jcb9s********

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign multiple roles for a DNS zone using Terraform:

In the Terraform configuration file, describe the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "role1" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_1>"
  members     = ["<subject_type>:<subject_ID>"]
}

resource "yandex_dns_zone_iam_binding" "role2" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_2>"
  members     = ["<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role.
- members: Types and IDs of entities assigned the role. Use the following format: type:<ID>, e.g., userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about yandex_dns_zone_iam_binding resource properties, see the provider documentation.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
You can verify the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign roles for a resource, use the setAccessBindings REST API method for the DnsZone resource or the DnsZoneService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method and the DnsZoneService/SetAccessBindings call overwrite all existing access permissions for the resource. All roles previously assigned for this resource will be deleted.

Revoking a role

CLI

Terraform

API

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

See the description of the CLI command for revoking DNS zone roles:
```
yc dns zone add-access-binding --help
```
Check what roles are currently assigned for the DNS zone you want to update:
```
yc dns zone list-access-bindings <zone_ID>
```
To revoke access permissions, run this command:
```
yc dns zone remove-access-binding <zone_ID> \
  --role=<role> \
  --subject=<subject_type>:<subject_ID> \
```
Where:
- --role: ID of the role you want to revoke.
- --subject: Type and ID of the target entity for role revocation.
For example, run the following command to revoke the dns.editor role from a user with the ajel6l0jcb9s******** ID:
```
yc dns zone remove-access-binding my-dns-zone \
  --role dns.editor \
  --subject userAccount:ajel6l0jcb9s********
```

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To revoke a role assigned for a DNS zone:

Open the Terraform configuration file and delete the fragment describing the role:

...
resource "yandex_dns_zone_iam_binding" "sa-role" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>"]
}

Apply the changes:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
You can verify the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To revoke a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.

Configuring DNS zone access permissions

Assigning a roleAssigning a role

Assigning multiple rolesAssigning multiple roles

Revoking a roleRevoking a role

Was the article helpful?

Assigning a role

Assigning multiple roles

Revoking a role