I' trying to learn DNS Peering
in Google Cloud DNS
.
I followed the google cloud guide page but unable to create managed-zones with service account of dns peer.
Below command was executed
gcloud dns managed-zones create dns-peer-zone \
--description="peering between consumer and provider" \
--dns-name="us-central1-a.c.provider-proj-299820.internal" --networks=sample-vpc-consumer \
--account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com \
--target-network=sample-vpc --target-project=provider-proj-299820 \
--visibility=private
I have tried with its own DNS too as below
gcloud dns managed-zones create dns-peer-zone \
--description="peering between consumer and provider" \
--dns-name="us-east1.c.consumer-proj-300018.internal" --networks=sample-vpc-consumer \
--account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com \
--target-network=sample-vpc --target-project=provider-proj-299820 \
--visibility=private
Getting below error:
ERROR: (gcloud.dns.managed-zones.create)
User [[email protected]] does not have permission
to access projects instance [provider-proj-299820] (or it may not exist): Forbidden
:~$
I had already updated DNS peer role successfully for a service account from consumer project in provider project as below
gcloud projects add-iam-policy-binding provider-proj-299820 \
--member="serviceAccount:[email protected]" \
--role=roles/dns.peer
Result:
Updated IAM policy for project [provider-proj-299820].
bindings:
- members:
I'm the owner of both project, provider has custom subnet in central1
and consumer has custom subnet in east1
. Provider network is GLOBAL
while the consumer is REGIONAL
Their IP range is mutually exclusive
I was trying to activate the service account created to create the dns role in the producer project which does not have permissions to create a role in the other project I followed the step without activating as mentioned in this beingasre blog link and it worked