I' trying to learn DNS Peering in Google Cloud DNS.
I followed the google cloud guide page but unable to create managed-zones with service account of dns peer.
Below command was executed
gcloud dns managed-zones create dns-peer-zone \
--description="peering between consumer and provider" \
--dns-name="us-central1-a.c.provider-proj-299820.internal" --networks=sample-vpc-consumer \
--account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com \
--target-network=sample-vpc --target-project=provider-proj-299820 \
--visibility=private
I have tried with its own DNS too as below
gcloud dns managed-zones create dns-peer-zone \
--description="peering between consumer and provider" \
--dns-name="us-east1.c.consumer-proj-300018.internal" --networks=sample-vpc-consumer \
--account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com \
--target-network=sample-vpc --target-project=provider-proj-299820 \
--visibility=private
Getting below error:
ERROR: (gcloud.dns.managed-zones.create)
User [[email protected]] does not have permission
to access projects instance [provider-proj-299820] (or it may not exist): Forbidden
:~$
I had already updated DNS peer role successfully for a service account from consumer project in provider project as below
gcloud projects add-iam-policy-binding provider-proj-299820 \
--member="serviceAccount:[email protected]" \
--role=roles/dns.peer
Result:
Updated IAM policy for project [provider-proj-299820].
bindings:
- members:
I'm the owner of both project, provider has custom subnet in central1 and consumer has custom subnet in east1. Provider network is GLOBAL while the consumer is REGIONAL
Their IP range is mutually exclusive
I was trying to activate the service account created to create the dns role in the producer project which does not have permissions to create a role in the other project I followed the step without activating as mentioned in this beingasre blog link and it worked