Configuring DNS zone access permissions
To grant a user, group, or service account access to a DNS zone, assign a role for it.
Assigning a role
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the CLI command description for assigning a role for a DNS zone:
yc dns zone add-access-binding --help
-
Get a list of DNS zones in the default folder:
yc dns zone list
-
View the list of roles already assigned for the resource:
yc dns zone list-access-bindings <zone_ID>
-
Assign the role using the command:
-
To a user:
yc dns zone add-access-binding <zone_ID> \ --user-account-id <user_ID> \ --role <role>
Where:
-
To a service account:
yc dns zone add-access-binding <zone_ID> \ --service-account-id <service_account_ID> \ --role <role>
Where:
--service-account-id
is the service account ID.--role
: Role to assign.
-
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To assign a role for a DNS zone using Terraform:
-
In the Terraform configuration file, describe the parameters of the resources you want to create:
resource "yandex_dns_zone_iam_binding" "zone-viewers" { dns_zone_id = "<zone_ID>" role = "<role>" members = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"] }
Where:
dns_zone_id
: DNS zone ID.role
: Role to assign.members
: List of types and IDs of subjects the roles are assigned to. Specify it asuserAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about the
yandex_dns_zone_iam_binding
resource parameters, see the provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
Terraform will create all the required resources. You can check the new resources using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To assign a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to ADD
and specify the user type and ID in the subject
property.
Assigning multiple roles
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
You can assign multiple roles using the set-access-bindings
command.
Alert
The set-access-binding
method completely rewrites access permissions for the resource! All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc dns zone list-access-bindings <zone_ID>
-
View the CLI command description for assigning roles for a DNS zone:
yc dns zone set-access-bindings --help
-
Assign roles:
yc dns zone set-access-bindings <zone_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>
Where:
-
--access-binding
: Parameters for setting access permissions:
For example, assign the
dns.editor
roles to multiple users and a service account:yc dns zone set-access-bindings my-disk-group \ --access-binding role=dns.editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=dns.editor,subject=serviceAccount:ajel6l0jcb9s********
-
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To assign multiple roles for a DNS zone using Terraform:
-
In the Terraform configuration file, describe the parameters of the resources you want to create:
resource "yandex_dns_zone_iam_binding" "role1" { dns_zone_id = "<zone_ID>" role = "<role_1>" members = ["<subject_type>:<subject_ID>"] } resource "yandex_dns_zone_iam_binding" "role2" { dns_zone_id = "<zone_ID>" role = "<role_2>" members = ["<subject_type>:<subject_ID>"] }
Where:
dns_zone_id
: DNS zone ID.role
: Role to assign.members
: List of types and IDs of subjects the roles are assigned to. Specify it asuserAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about the
yandex_dns_zone_iam_binding
resource parameters, see the provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
You can check the changes using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To assign roles for a resource, use the setAccessBindings REST API method for the DnsZone resource or the DnsZoneService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method and the DnsZoneService/SetAccessBindings
call completely rewrite the resource access permissions. All current resource roles will be deleted.
Revoking a role
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the CLI command description for revoking a role for a DNS zone:
yc dns zone add-access-binding --help
-
View the list of roles already assigned for the resource:
yc dns zone list-access-bindings <zone_ID>
-
To revoke access permissions, run this command:
yc dns zone remove-access-binding <zone_ID> \ --role=<role> \ --subject=<subject_type>:<subject_ID> \
Where:
--role
: ID of the role to revoke.--subject
: Type and ID of the subject to revoke the role from.
For example, to revoke the
dns.editor
role for a DNS zone from a user with theajel6l0jcb9s********
ID:yc dns zone remove-access-binding my-dns-zone \ --role dns.editor \ --subject userAccount:ajel6l0jcb9s********
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To revoke a role assigned for a DNS zone using Terraform:
-
Open the Terraform configuration file and delete the fragment with the role description.
... resource "yandex_dns_zone_iam_binding" "sa-role" { dns_zone_id = "<zone_ID>" role = "<role>" members = ["<subject_type>:<subject_ID>"] }
-
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
You can check the changes using this CLI command:
yc dns zone list-access-bindings <zone_ID>
-
To revoke a role, use the updateAccessBindings REST API method for the DnsZone resource or the DnsZoneService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to REMOVE
and specify the user type and ID in the subject
property.