2017-01-11 13:02:45 -07:00
---
2017-10-11 08:33:17 -04:00
name: Google Cloud DNS
2022-02-17 18:22:31 +01:00
title: Google Cloud DNS Provider
2017-01-11 13:02:45 -07:00
layout: default
jsId: GCLOUD
---
2017-10-11 08:33:17 -04:00
# Google Cloud DNS Provider
2017-01-11 13:02:45 -07:00
## Configuration
2022-07-05 21:53:51 +02:00
To use this provider, add an entry to `creds.json` with `TYPE` set to `GCLOUD` .
2022-05-08 14:41:33 -04:00
2022-07-05 21:53:51 +02:00
For authentication you can either include a Service Account Key in the file or use Application Default Credentials (ADC)
### Using a Service Account Key
Copy the full JSON object into your `creds.json` . Newlines in the private key need to be replaced with `\n` .
2022-05-08 14:41:33 -04:00
Example:
2017-10-11 10:10:23 -04:00
2022-02-17 18:22:31 +01:00
```json
2017-01-11 13:02:45 -07:00
{
2022-05-08 14:41:33 -04:00
"gcloud": {
"TYPE": "GCLOUD",
"type": "service_account",
"project_id": "mydnsproject",
"private_key_id": "a05483aa208364c56716b384efff33c0574d365b",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADL2dhlY7YZbx7tpsfksOX\nih0DbxhiQ==\n-----END PRIVATE KEY-----\n",
"client_email": "dnscontrolacct@mydnsproject .iam.gserviceaccount.com",
"client_id": "107996619231234567750",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnscontrolsdfsdfsdf%40craigdnstest.iam.gserviceaccount.com",
"name_server_set": "optional_name_server_set_name (contact your TAM)"
}
2017-01-11 13:02:45 -07:00
}
2022-02-17 18:22:31 +01:00
```
2017-01-11 13:02:45 -07:00
2022-05-08 14:41:33 -04:00
**Note:** Don't confuse the `TYPE` and `type` fields. `TYPE` is set to `GCLOUD` and specifies which provider type to use. `type` specifies the type of account in use.
2019-02-19 12:30:39 -05:00
**Note**: The `project_id` , `private_key` , and `client_email` , are the only fields that are strictly required, but it is sometimes easier to just paste the entire json object in. Either way is fine. `name_server_set` is optional and requires special permission from your TAM at Google in order to setup (See [Name server sets ](#name_server_sets ) below)
2017-03-16 22:42:53 -07:00
2017-01-11 13:02:45 -07:00
See [the Activation section ](#activation ) for some tips on obtaining these credentials.
2022-07-05 21:53:51 +02:00
### Using Application Default Credentials
If you prefer to authenticate using ADC you only need to specify `project_id` in your creds.json file.
Example:
```json
{
"gcloud": {
"TYPE": "GCLOUD",
"project_id": "mydnsproject"
}
}
```
**Note:** To use ADC, make sure to not add any `private_key` value to your configuration as that will prevent dnscontrol from attempting to use ADC.
2017-01-11 13:02:45 -07:00
## Metadata
2017-03-12 12:21:08 -06:00
This provider does not recognize any special metadata fields unique to google cloud dns.
2017-01-11 13:02:45 -07:00
## Usage
2022-05-08 14:41:33 -04:00
An example `dnsconfig.js` configuration:
2017-01-11 13:02:45 -07:00
2022-02-17 18:22:31 +01:00
```js
2022-05-08 14:41:33 -04:00
var REG_NONE = NewRegistrar("name.com");
var DSP_GCLOUD = NewDnsProvider("gcloud");
2017-01-11 13:02:45 -07:00
2022-05-08 14:41:33 -04:00
D("example.tld", REG_NONE, DnsProvider(DSP_GCLOUD),
A("test", "1.2.3.4")
2017-01-11 13:02:45 -07:00
);
2022-02-17 18:22:31 +01:00
```
2017-01-11 13:02:45 -07:00
## Activation
2017-03-12 12:21:08 -06:00
1. Go to your app-engine console and select the appropriate project.
2. Go to "API Manager > Credentials", and create a new "Service Account Key"
2017-01-11 13:02:45 -07:00
2017-03-12 16:31:48 -07:00
< img src = "{{ site.github.url }}/assets/gcloud-json-screen.png" alt = "New Service Account" style = "width: 900px;" / >
2017-01-11 13:02:45 -07:00
2017-09-07 09:46:32 -04:00
3. Choose an existing user, or create a new one. The user requires the "DNS Administrator" role.
2017-05-03 09:32:47 -04:00
4. Download the JSON key and copy it into your `creds.json` under the name of your gcloud provider.
## New domains
If a domain does not exist in your Google Cloud DNS account, DNSControl
2019-02-19 12:30:39 -05:00
will *not* automatically add it with the `push` command. You'll need to do that via the
control panel manually or via the `create-domains` command.
## Name server sets
This optional feature lets you pin domains to a set of GCLOUD name servers. The `nameServerSet` field is exposed in their API but there is
2022-02-17 18:22:31 +01:00
currently no facility for creating a name server set. You need special permission from your technical account manager at Google and they
2019-02-19 12:30:39 -05:00
will enable it on your account, responding with a list of names to use in the `name_server_set` field above.
> `name_server_set` only applies on `create-domains` at the moment. Additional work needs to be done to support it during `push`
2020-02-29 09:07:05 -05:00
# Debugging credentials
You can test your `creds.json` entry with the command: `dnscontrol check-creds foo GCLOUD` where `foo` is the name of key used in `creds.json` . Error messages you might see:
* `googleapi: Error 403: Permission denied on resource project REDACTED., forbidden`
* Hint: `project_id` may be invalid.
* `private key should be a PEM or plain PKCS1 or PKCS8; parse error:`
* Hint: `private_key` may be invalid.
* `Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}`
* Hint: `client_email` may be invalid.
