GCP Cloud DNS

GCP Cloud DNS integration allows your product to discover and manage DNS zones and DNS records hosted in Google Cloud Platform (GCP). This integration provides visibility into domain configurations, internal/external DNS zones, and DNS record sets to support network posture assessment, security auditing, and DNS automation workflows.

Credentials Needed

To integrate with GCP Cloud DNS, you need a Service Account Key with appropriate permissions for Cloud DNS resources.

Required credentials:

Service Account JSON Key File (contains project_id, client_email, and private_key)
(Optional) Project ID if not included in the key file

Always create a dedicated Service Account with read-only permissions for DNS discovery — never use owner or editor roles.

Permissions Needed / IAM Roles

To read DNS zones and record sets, the Service Account must have the following IAM roles:

Role	Purpose
DNS Reader (`roles/dns.reader`)	Grants read-only access to Cloud DNS managed zones and records
Viewer (`roles/viewer`)	Optional — allows read access to other metadata and project-level info

Minimum Required Role: roles/dns.reader

If your integration needs to modify DNS records (not recommended for security-only use), use roles/dns.admin.

Creating Users / Service Account in GCP

Step 1: Create a Service Account

Go to GCP Console → IAM & Admin → Service Accounts https://console.cloud.google.com/iam-admin/serviceaccounts
Click + Create Service Account
Enter:
- Service account name: dns-integration-sa
- Description: For Cloud DNS integration access
Click Create and Continue

Step 2: Assign Roles

In the "Grant this service account access to project" section, click + Add Another Role
Select:
- DNS Reader (roles/dns.reader)
- (Optional) Viewer (roles/viewer)
Click Continue → Done

Step 3: Generate and Download the Key

Find your newly created Service Account in the list
Click the three-dot menu → Manage Keys → Add Key → Create New Key
Select JSON format
Download the key file — e.g., gcp-dns-service-key.json
Store it securely in your platform's encrypted vault

Test Connectivity

You can test connectivity using the gcloud CLI or REST API.

Option 1: Using gcloud CLI

# Activate the service account
gcloud auth activate-service-account --key-file=gcp-dns-service-key.json

# Set the project
gcloud config set project <PROJECT_ID>

# List managed DNS zones
gcloud dns managed-zones list

# List DNS records for a zone
gcloud dns record-sets list --zone=<ZONE_NAME>

Example Response:

[
  {
    "kind": "dns#managedZone",
    "id": "1234567890123",
    "name": "example-zone",
    "dnsName": "example.com.",
    "visibility": "public",
    "nameServers": [
      "ns-cloud-a1.googledomains.com.",
      "ns-cloud-a2.googledomains.com."
    ]
  }
]

Option 2: Using REST API

# List managed zones
curl -X GET \
  "https://dns.googleapis.com/dns/v1/projects/<PROJECT_ID>/managedZones" \
  -H "Authorization: Bearer $(gcloud auth print-access-token)"

Example Response:

{
  "managedZones": [
    {
      "id": "987654321",
      "name": "example-zone",
      "dnsName": "example.com.",
      "description": "Production DNS zone",
      "visibility": "public"
    }
  ]
}

Save the Results in the Platform and Create Connection

In your platform's integration setup, securely upload or store:
- SERVICE_ACCOUNT_JSON (entire JSON key file)
- PROJECT_ID
Label the connection as GCP Cloud DNS Integration
Test the connection by listing zones from /dns/v1/projects/{project}/managedZones
On successful validation, fetch and store:
- Zone name
- DNS name
- Visibility (public/private)
- Name servers
- Record sets (A, CNAME, MX, TXT, etc.)

Best Practices

Use least privilege: Assign only the roles/dns.reader role for read-only integrations
Store credentials securely in Google Secret Manager or your own encrypted secrets vault
Rotate service account keys every 90 days or use Workload Identity Federation for keyless authentication
Limit the integration service account to only necessary GCP projects
Use pagination (maxResults and pageToken) when fetching large record sets
Enable Cloud Audit Logs for DNS API to monitor access and changes
Respect API quotas: ~240 requests per minute by default — batch or cache responses where possible
Use private zones filtering if you only need external-facing DNS visibility
For hybrid environments, sync DNS data across GCP, AWS Route53, and Azure DNS for unified visibility

Useful Cloud DNS API Endpoints

Resource	Method	Endpoint	Description
List managed zones	GET	`/dns/v1/projects/{project}/managedZones`	Lists all DNS zones
Get zone details	GET	`/dns/v1/projects/{project}/managedZones/{zone}`	Retrieves a specific DNS zone
List DNS records	GET	`/dns/v1/projects/{project}/managedZones/{zone}/rrsets`	Lists all DNS records in a zone
Get a specific record set	GET	`/dns/v1/projects/{project}/managedZones/{zone}/rrsets/{name}/{type}`	Retrieves a specific record
List changes	GET	`/dns/v1/projects/{project}/managedZones/{zone}/changes`	Lists zone change history

Reference: Google Cloud DNS API Docs

Credentials Needed​

Permissions Needed / IAM Roles​

Creating Users / Service Account in GCP​

Step 1: Create a Service Account​

Step 2: Assign Roles​

Step 3: Generate and Download the Key​

Test Connectivity​

Option 1: Using gcloud CLI​

Option 2: Using REST API​

Save the Results in the Platform and Create Connection​

Best Practices​

Useful Cloud DNS API Endpoints​