docs/_providers/gcloud.md

---
name: Google Cloud DNS
title: Google Cloud DNS Provider
layout: default
jsId: GCLOUD
---

# Google Cloud DNS Provider

## Configuration

To use this provider, add an entry to `creds.json` with `TYPE` set to `GCLOUD`
along with Google Cloud authentication values.

The provider requires a "Service Account Key" for your project. Newlines in the private key need to be replaced with `\n`. Copy the full JSON object into your `creds.json` like so:

Example:

```json
{
  "gcloud": {
    "TYPE": "GCLOUD",
    "type": "service_account",
    "project_id": "mydnsproject",
    "private_key_id": "a05483aa208364c56716b384efff33c0574d365b",
    "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADL2dhlY7YZbx7tpsfksOX\nih0DbxhiQ==\n-----END PRIVATE KEY-----\n",
    "client_email": "dnscontrolacct@mydnsproject.iam.gserviceaccount.com",
    "client_id": "107996619231234567750",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://accounts.google.com/o/oauth2/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnscontrolsdfsdfsdf%40craigdnstest.iam.gserviceaccount.com",
    "name_server_set": "optional_name_server_set_name (contact your TAM)"
  }
}
```

**Note:** Don't confuse the `TYPE` and `type` fields.  `TYPE` is set to `GCLOUD` and specifies which provider type to use.  `type` specifies the type of account in use.

**Note**: The `project_id`, `private_key`, and `client_email`, are the only fields that are strictly required, but it is sometimes easier to just paste the entire json object in. Either way is fine.  `name_server_set` is optional and requires special permission from your TAM at Google in order to setup (See [Name server sets](#name_server_sets) below)

See [the Activation section](#activation) for some tips on obtaining these credentials.

## Metadata
This provider does not recognize any special metadata fields unique to google cloud dns.

## Usage
An example `dnsconfig.js` configuration:

```js
var REG_NONE = NewRegistrar("name.com");
var DSP_GCLOUD = NewDnsProvider("gcloud");

D("example.tld", REG_NONE, DnsProvider(DSP_GCLOUD),
    A("test", "1.2.3.4")
);
```

## Activation
1. Go to your app-engine console and select the appropriate project.
2. Go to "API Manager > Credentials", and create a new "Service Account Key"

    <img src="{{ site.github.url }}/assets/gcloud-json-screen.png" alt="New Service Account" style="width: 900px;"/>

3. Choose an existing user, or create a new one. The user requires the "DNS Administrator" role.
4. Download the JSON key and copy it into your `creds.json` under the name of your gcloud provider.

## New domains
If a domain does not exist in your Google Cloud DNS account, DNSControl
will *not* automatically add it with the `push` command. You'll need to do that via the
control panel manually or via the `create-domains` command.

## Name server sets

This optional feature lets you pin domains to a set of GCLOUD name servers.  The `nameServerSet` field is exposed in their API but there is
currently no facility for creating a name server set.  You need special permission from your technical account manager at Google and they
will enable it on your account, responding with a list of names to use in the `name_server_set` field above.

> `name_server_set` only applies on `create-domains` at the moment. Additional work needs to be done to support it during `push`

# Debugging credentials

You can test your `creds.json` entry with the command: `dnscontrol check-creds foo GCLOUD` where `foo` is the name of key used in `creds.json`.  Error messages you might see:

* `googleapi: Error 403: Permission denied on resource project REDACTED., forbidden`
  * Hint: `project_id` may be invalid.
* `private key should be a PEM or plain PKCS1 or PKCS8; parse error:`
  * Hint: `private_key` may be invalid.
* `Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}`
  * Hint: `client_email` may be invalid.
adding docs again 2017-01-11 13:02:45 -07:00			`---`
Website fixes (Part 1) (#223) * Fixed base template - Made responsive for small screens - Added DOCTYPE - Added meta charset * Added page titles * Beautified CSS 2017-10-11 08:33:17 -04:00			`name: Google Cloud DNS`
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			`title: Google Cloud DNS Provider`
adding docs again 2017-01-11 13:02:45 -07:00			`layout: default`
			`jsId: GCLOUD`
			`---`

Website fixes (Part 1) (#223) * Fixed base template - Made responsive for small screens - Added DOCTYPE - Added meta charset * Added page titles * Beautified CSS 2017-10-11 08:33:17 -04:00			`# Google Cloud DNS Provider`
adding docs again 2017-01-11 13:02:45 -07:00
			`## Configuration`

Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			To use this provider, add an entry to `creds.json` with `TYPE` set to `GCLOUD`
			`along with Google Cloud authentication values.`

			The provider requires a "Service Account Key" for your project. Newlines in the private key need to be replaced with `\n`. Copy the full JSON object into your `creds.json` like so:

			`Example:`
Improve Google Cloud DNS docs (#230) - Markdown formatting improvements - Added note about newlines in private key 2017-10-11 10:10:23 -04:00
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			```json
adding docs again 2017-01-11 13:02:45 -07:00			`{`
Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			`"gcloud": {`
			`"TYPE": "GCLOUD",`
			`"type": "service_account",`
			`"project_id": "mydnsproject",`
			`"private_key_id": "a05483aa208364c56716b384efff33c0574d365b",`
			`"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADL2dhlY7YZbx7tpsfksOX\nih0DbxhiQ==\n-----END PRIVATE KEY-----\n",`
			`"client_email": "dnscontrolacct@mydnsproject.iam.gserviceaccount.com",`
			`"client_id": "107996619231234567750",`
			`"auth_uri": "https://accounts.google.com/o/oauth2/auth",`
			`"token_uri": "https://accounts.google.com/o/oauth2/token",`
			`"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",`
			`"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnscontrolsdfsdfsdf%40craigdnstest.iam.gserviceaccount.com",`
			`"name_server_set": "optional_name_server_set_name (contact your TAM)"`
			`}`
adding docs again 2017-01-11 13:02:45 -07:00			`}`
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			```
adding docs again 2017-01-11 13:02:45 -07:00
Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			Note: Don't confuse the `TYPE` and `type` fields. `TYPE` is set to `GCLOUD` and specifies which provider type to use. `type` specifies the type of account in use.

ROUTE53/GCLOUD: Add Delegation/nameserver Sets (#448) - Support DelegationSet for Route53 (create-domains only) - Retry Route53 operations which fail for rate limits under large numbers of domains - Support for name_server_set for GCloud (create-domains only) - Docs for both 2019-02-19 12:30:39 -05:00			Note: The `project_id`, `private_key`, and `client_email`, are the only fields that are strictly required, but it is sometimes easier to just paste the entire json object in. Either way is fine. `name_server_set` is optional and requires special permission from your TAM at Google in order to setup (See [Name server sets](#name_server_sets) below)
Integration Testing framework (#46) * integration test started * details * More tests. * idn tests and punycode (not tested fully because I'm on an aiplane) * test for dual provider compatibility * readme for tests * vendor idna * fix casing 2017-03-16 22:42:53 -07:00
adding docs again 2017-01-11 13:02:45 -07:00			`See [the Activation section](#activation) for some tips on obtaining these credentials.`

			`## Metadata`
tweaks to gcloud 2017-03-12 12:21:08 -06:00			`This provider does not recognize any special metadata fields unique to google cloud dns.`
adding docs again 2017-01-11 13:02:45 -07:00
			`## Usage`
Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			An example `dnsconfig.js` configuration:
adding docs again 2017-01-11 13:02:45 -07:00
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			```js
Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			`var REG_NONE = NewRegistrar("name.com");`
			`var DSP_GCLOUD = NewDnsProvider("gcloud");`
adding docs again 2017-01-11 13:02:45 -07:00
Update docs for the "plan a" change (#1499) * Update docs 2022-05-08 14:41:33 -04:00			`D("example.tld", REG_NONE, DnsProvider(DSP_GCLOUD),`
			`A("test", "1.2.3.4")`
adding docs again 2017-01-11 13:02:45 -07:00			`);`
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			```
adding docs again 2017-01-11 13:02:45 -07:00
			`## Activation`
tweaks to gcloud 2017-03-12 12:21:08 -06:00			`1. Go to your app-engine console and select the appropriate project.`
			`2. Go to "API Manager > Credentials", and create a new "Service Account Key"`
adding docs again 2017-01-11 13:02:45 -07:00
img 2017-03-12 16:31:48 -07:00			`<img src="{{ site.github.url }}/assets/gcloud-json-screen.png" alt="New Service Account" style="width: 900px;"/>`
adding docs again 2017-01-11 13:02:45 -07:00
Documentation: Update terminology in gcloud.md (#197) * Google now calls the required role "DNS Administrator" rather than "App Engine Admin" (#197) 2017-09-07 09:46:32 -04:00			`3. Choose an existing user, or create a new one. The user requires the "DNS Administrator" role.`
Document that providers don't (or do) add domains to your account automatically. 2017-05-03 09:32:47 -04:00			4. Download the JSON key and copy it into your `creds.json` under the name of your gcloud provider.

			`## New domains`
			`If a domain does not exist in your Google Cloud DNS account, DNSControl`
ROUTE53/GCLOUD: Add Delegation/nameserver Sets (#448) - Support DelegationSet for Route53 (create-domains only) - Retry Route53 operations which fail for rate limits under large numbers of domains - Support for name_server_set for GCloud (create-domains only) - Docs for both 2019-02-19 12:30:39 -05:00			will not automatically add it with the `push` command. You'll need to do that via the
			control panel manually or via the `create-domains` command.

			`## Name server sets`

			This optional feature lets you pin domains to a set of GCLOUD name servers. The `nameServerSet` field is exposed in their API but there is
Replace Jekyll highlight tags with fenced code blocks (#1412) * Replace Jekyll highlight tags with fenced code blocks Replace Jekyll highlight tags with fenced code blocks. Canonicalize javascript to js. Correct highlighting languages. Add highlighting to code blocks. Remove leading $ from bash blocks. Remove empty lines at start and end of code blocks. Stripped trailing whitespace. * Fix language of code highlighting 2022-02-17 18:22:31 +01:00			`currently no facility for creating a name server set. You need special permission from your technical account manager at Google and they`
ROUTE53/GCLOUD: Add Delegation/nameserver Sets (#448) - Support DelegationSet for Route53 (create-domains only) - Retry Route53 operations which fail for rate limits under large numbers of domains - Support for name_server_set for GCloud (create-domains only) - Docs for both 2019-02-19 12:30:39 -05:00			will enable it on your account, responding with a list of names to use in the `name_server_set` field above.

			> `name_server_set` only applies on `create-domains` at the moment. Additional work needs to be done to support it during `push`
Add check-creds subcommand (#665) 2020-02-29 09:07:05 -05:00
			`# Debugging credentials`

			You can test your `creds.json` entry with the command: `dnscontrol check-creds foo GCLOUD` where `foo` is the name of key used in `creds.json`. Error messages you might see:

			* `googleapi: Error 403: Permission denied on resource project REDACTED., forbidden`
			* Hint: `project_id` may be invalid.
			* `private key should be a PEM or plain PKCS1 or PKCS8; parse error:`
			* Hint: `private_key` may be invalid.
			* `Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}`
			* Hint: `client_email` may be invalid.