Configuring DNS zone access permissions

Written by

Yandex Cloud

Updated at May 13, 2025

Assigning a role
Assigning multiple roles
Revoking a role

To grant a user, group, or service account access to a DNS zone, assign a role for it.

Assigning a role

CLI

Terraform

API

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

View the CLI command description for assigning a role for a DNS zone:
```
yc dns zone add-access-binding --help
```
Get a list of DNS zones in the default folder:
```
yc dns zone list
```
View a list of roles already assigned for the resource in question:
```
yc dns zone list-access-bindings <zone_ID>
```
Assign the role using this command:
- To a user:
```
yc dns zone add-access-binding <zone_ID> \
  --user-account-id <user_ID> \
  --role <role>
```
  Where:
  - --user-account-id: User ID. To assign a role to all authenticated users, use the --all-authenticated-users flag.
  - --role: Role to assign.
- To a service account:
```
yc dns zone add-access-binding <zone_ID> \
  --service-account-id <service_account_ID> \
  --role <role>
```
  Where:
  - --service-account-id: Service account ID.
  - --role: Role.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign a role for a DNS zone using Terraform:

In the Terraform configuration file, define the parameters of the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "zone-viewers" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role.
- members: List of types and IDs of subjects getting the role. Use this format: userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about the yandex_dns_zone_iam_binding resource properties, see the provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
Terraform will create all required resources. You can check the new resources using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.

Assigning multiple roles

CLI

Terraform

API

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-binding method completely rewrites access permissions for the resource! All current roles for the resource will be deleted.

Make sure the resource has no roles assigned that you would not want to lose:
```
yc dns zone list-access-bindings <zone_ID>
```
View the CLI command description for assigning roles for a DNS zone:
```
yc dns zone set-access-bindings --help
```

Assign roles:

yc dns zone set-access-bindings <zone_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

Where:

--access-binding: Parameters for setting access permissions:
- role: Role.
- subject: Type and ID of the entity assigned the role.

For example, assign the dns.editor roles to multiple users and a service account:

yc dns zone set-access-bindings my-disk-group \
  --access-binding role=dns.editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=dns.editor,subject=serviceAccount:ajel6l0jcb9s********

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign multiple roles for a DNS zone using Terraform:

In the Terraform configuration file, define the parameters of the resources you want to create:
```
resource "yandex_dns_zone_iam_binding" "role1" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_1>"
  members     = ["<subject_type>:<subject_ID>"]
}

resource "yandex_dns_zone_iam_binding" "role2" {
  dns_zone_id = "<zone_ID>"
  role        = "<role_2>"
  members     = ["<subject_type>:<subject_ID>"]
}
```
Where:
- dns_zone_id: DNS zone ID.
- role: Role.
- members: List of types and IDs of subjects getting the role. Use this format: userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about the yandex_dns_zone_iam_binding resource properties, see the provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
You can check the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To assign roles for a resource, use the setAccessBindings REST API method for the DnsZone resource or the DnsZoneService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method and the DnsZoneService/SetAccessBindings call completely overwrite access permissions for the resource. All current roles for the resource will be deleted.

Revoking a role

CLI

Terraform

API

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

View the CLI command description for revoking a role for a DNS zone:
```
yc dns zone add-access-binding --help
```
View a list of roles already assigned for the resource in question:
```
yc dns zone list-access-bindings <zone_ID>
```
To revoke access permissions, run this command:
```
yc dns zone remove-access-binding <zone_ID> \
  --role=<role> \
  --subject=<subject_type>:<subject_ID> \
```
Where:
- --role: ID of the role to revoke.
- --subject: Type and ID of the subject to revoke the role from.
For example, to revoke the dns.editor role for a DNS zone from a user with the ajel6l0jcb9s******** ID:
```
yc dns zone remove-access-binding my-dns-zone \
  --role dns.editor \
  --subject userAccount:ajel6l0jcb9s********
```

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To revoke a role assigned for a DNS zone:

Open the Terraform configuration file and delete the section specifying the role:

...
resource "yandex_dns_zone_iam_binding" "sa-role" {
  dns_zone_id = "<zone_ID>"
  role        = "<role>"
  members     = ["<subject_type>:<subject_ID>"]
}

Apply the changes:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.
You can check the changes using this CLI command:
```
yc dns zone list-access-bindings <zone_ID>
```

To revoke a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.

Configuring DNS zone access permissions

Assigning a role

Assigning multiple roles

Revoking a role

Was the article helpful?