Monitoring Google Cloud DNS
Monitoring your Google Cloud Platform hosted DNS records automatically is made easy with ZoneWatcher. After you've added your account credentials, we will automatically import all of your domains and begin monitoring them for changes.
Generating your Google Cloud API Token
To get started adding your GCP account, you'll first want to go activate the DNS API on GCP's dashboard. This needs to be active in order for us to fetch your DNS records.
After you have activated the DNS API, you'll want to generate an api service account on GCP's IAM dashboard. We use this token to automatically fetch the domains and associated DNS records.
For monitoring-only use, you can limit the token to the DNS Reader role (roles/dns.reader). This will ensure that the token can only be used to read your DNS records and not modify them. Be sure to associate the following permissions with the token:
- dns.managedZones.get
- dns.managedZones.list
- dns.projects.get
- dns.resourceRecordSets.get
- dns.resourceRecordSets.list
- resourcemanager.projects.get
- resourcemanager.projects.list
Permissions for Change Management & Rollback
If you plan to use ZoneWatcher's Change Management or rollback features, the DNS Reader role is not sufficient — those features write back to Cloud DNS on your behalf to apply approved changesets and revert unauthorized changes.
The simplest option is to grant the service account the predefined DNS Administrator role (roles/dns.admin). If you prefer least-privilege, create a custom role with the read permissions listed above plus the following write permissions:
- dns.changes.create
- dns.changes.get
- dns.changes.list
- dns.resourceRecordSets.create
- dns.resourceRecordSets.update
- dns.resourceRecordSets.delete
ZoneWatcher applies all DNS modifications through the changes.create API and polls changes.get for propagation status. If you only want change notifications, stick with roles/dns.reader.
Creating your Google Cloud Provider
Create your new Google Cloud provider on ZoneWatcher by giving it a descriptive name, and pasting the api credentials that you downloaded from Google Cloud's API Key.
Monitoring Your Zones
After you've created your Google Cloud provider, we will sync all the zones associated with your account and their associated DNS records. You'll be able to view them from either the Provider's page or the Zone Dashboard.