Configuring DNS zone access permissions
Assign an appropriate role to a user, group, or service account to provide DNS zone access.
Assigning a role
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command for the DNS zone role assignment:
yc dns zone add-access-binding --help
-
Get a DNS zone list in the default folder:
yc dns zone list
-
Check currently assigned roles for the DNS zone you want to update:
yc dns zone list-access-bindings <zone_ID>
-
To assign the role, run the following command:
-
Assigning the role to a user:
yc dns zone add-access-binding <zone_ID> \ --user-account-id <user_ID> \ --role <role>
Where:
-
Assigning the role to a service account:
yc dns zone add-access-binding <zone_ID> \ --service-account-id <service_account_ID> \ --role <role>
Where:
--service-account-id
: Service account ID.--role
: Role to assign.
-
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
To assign a role for a DNS zone using Terraform, do the following:
-
In the Terraform configuration file, describe the resources you want to create:
resource "yandex_dns_zone_iam_binding" "zone-viewers" { dns_zone_id = "<zone_ID>" role = "<role>" members = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"] }
Where:
dns_zone_id
: DNS zone ID.role
: Role.members
: Types and IDs of entities assigned the role. Use the following format:type:<ID>
, e.g.,userAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about
yandex_dns_zone_iam_binding
resource properties, see the provider documentation . -
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all required resources. You can check the new resources using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To assign a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to ADD
and specify the user type and ID under subject
.
Assigning multiple roles
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
You can assign multiple roles using the set-access-bindings
command.
Alert
The set-access-binding
command completely rewrites access permissions for the resource! All roles previously assigned for this resource will be deleted.
-
Make sure the resource has no important roles assigned before proceeding:
yc dns zone list-access-bindings <zone_ID>
-
See the description of the CLI command for the DNS zone role assignment:
yc dns zone set-access-bindings --help
-
Assign roles:
yc dns zone set-access-bindings <zone_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>
Where:
-
--access-binding
: Access permission settings:
For example, you can assign the
dns.editor
role to multiple users and a service account:yc dns zone set-access-bindings my-disk-group \ --access-binding role=dns.editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=dns.editor,subject=serviceAccount:ajel6l0jcb9s********
-
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
To assign multiple roles for a DNS zone using Terraform:
-
In the Terraform configuration file, describe the resources you want to create:
resource "yandex_dns_zone_iam_binding" "role1" { dns_zone_id = "<zone_ID>" role = "<role_1>" members = ["<subject_type>:<subject_ID>"] } resource "yandex_dns_zone_iam_binding" "role2" { dns_zone_id = "<zone_ID>" role = "<role_2>" members = ["<subject_type>:<subject_ID>"] }
Where:
dns_zone_id
: DNS zone ID.role
: Role.members
: Types and IDs of entities assigned the role. Use the following format:type:<ID>
, e.g.,userAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about
yandex_dns_zone_iam_binding
resource properties, see the provider documentation . -
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
You can verify the changes using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To assign roles for a resource, use the setAccessBindings REST API method for the DnsZone resource or the DnsZoneService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method and the DnsZoneService/SetAccessBindings
call overwrite all existing access permissions for the resource. All roles previously assigned for this resource will be deleted.
Revoking a role
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command for revoking DNS zone roles:
yc dns zone add-access-binding --help
-
Check what roles are currently assigned for the DNS zone you want to update:
yc dns zone list-access-bindings <zone_ID>
-
To revoke access permissions, run this command:
yc dns zone remove-access-binding <zone_ID> \ --role=<role> \ --subject=<subject_type>:<subject_ID> \
Where:
--role
: ID of the role you want to revoke.--subject
: Type and ID of the target entity for role revocation.
For example, run the following command to revoke the
dns.editor
role from a user with theajel6l0jcb9s********
ID:yc dns zone remove-access-binding my-dns-zone \ --role dns.editor \ --subject userAccount:ajel6l0jcb9s********
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
To revoke a role assigned for a DNS zone:
-
Open the Terraform configuration file and delete the fragment describing the role:
... resource "yandex_dns_zone_iam_binding" "sa-role" { dns_zone_id = "<zone_ID>" role = "<role>" members = ["<subject_type>:<subject_ID>"] }
-
Apply the changes:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. Terraform will show any errors found in your configuration.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
You can verify the changes using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To revoke a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to REMOVE
and specify the user type and ID under subject
.