Google Cloud create dns peering without VPC peering in different GCP projects

Question

I' trying to learn DNS Peering in Google Cloud DNS. I followed the google cloud guide page but unable to create managed-zones with service account of dns peer.

Below command was executed

 gcloud dns managed-zones create dns-peer-zone   \
--description="peering between consumer and provider"   \
--dns-name="us-central1-a.c.provider-proj-299820.internal"   --networks=sample-vpc-consumer \
 --account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com  \
 --target-network=sample-vpc   --target-project=provider-proj-299820   \
--visibility=private

I have tried with its own DNS too as below

 gcloud dns managed-zones create dns-peer-zone   \
--description="peering between consumer and provider"   \
--dns-name="us-east1.c.consumer-proj-300018.internal"   --networks=sample-vpc-consumer \
 --account=consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com  \
 --target-network=sample-vpc   --target-project=provider-proj-299820   \
--visibility=private

Getting below error:

    ERROR: (gcloud.dns.managed-zones.create) 
User [consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com] does not have permission
 to access projects instance [provider-proj-299820] (or it may not exist): Forbidden
:~$

I had already updated DNS peer role successfully for a service account from consumer project in provider project as below

    gcloud projects add-iam-policy-binding provider-proj-299820 \
--member="serviceAccount:consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com" \
 --role=roles/dns.peer

Result:

Updated IAM policy for project [provider-proj-299820].
bindings:
- members:

I'm the owner of both project, provider has custom subnet in central1 and consumer has custom subnet in east1. Provider network is GLOBAL while the consumer is REGIONAL Their IP range is mutually exclusive

The only predefined role that has the required permissions is `roles/dns.admin`.https://cloud.google.com/dns/docs/access-control — John Hanley, Dec 29 '20 at 01:53
Thanks @JohnHanley, are you talking any paritcular permission like : dns.networks.targetWithPeeringZone ? Also, the role I had chosen was given in the guide document of google cloud. I'll try to change the role to dns.admin and see if that works. — Learner, Dec 29 '20 at 21:10
Yes, you need that permission and more on both sides of the peer. Also review @Mahboob's answer in case you have another issue. — John Hanley, Dec 29 '20 at 21:22

Mahboob · Answer 1 · 2020-12-30T01:21:50.560

1

From the error it's seems to me that the message is misleading and confusing. Based on that I found the following PIT1 and PIT2 as a bug on Google Issue tracker. There is no ETA at this time. However, you will get further update on the thread accordingly.

edited Dec 30 '20 at 01:21

answered Dec 29 '20 at 20:16

Mahboob

1,877
5
19

Thanks @Mahboob for adding the bug details, I see in the bug the issue is about enhancing the message in case of using incorrect input parameters – Learner Dec 30 '20 at 00:18
I verified the service account name and the networks name , those are correct. I also updated the dns role to dns.admin for consumer in provider project verified service account name listed in provider projects : gcloud projects get-iam-policy provider-proj-299820 |grep "consumer-svcacct@consumer-proj-300018.iam.gserviceaccount.com" Verified the networks name as : gcloud compute networks list --project=provider-proj-299820 | grep "sample-vpc" gcloud compute networks list --project=consumer-proj-300018 | grep "sample-vpc-consumer" – Learner Dec 30 '20 at 00:48
@Learner I have just updated my answer and include another Public Issue which also indicate that the error message is confusing and need to improve to get exact error message. I understand that your permission might be ok as Owner role also grant all the DNS permissions. – Mahboob Dec 30 '20 at 01:31
Thanks for sharing the bug. I added dns admin role in the consumer project too for the service account just to rule out the possibility, it still did not work . I'll keep an eye on this bug – Learner Dec 30 '20 at 06:27

score 0 · Accepted Answer · answered Apr 22 '21 at 17:55

I was trying to activate the service account created to create the dns role in the producer project which does not have permissions to create a role in the other project I followed the step without activating as mentioned in this beingasre blog link and it worked

Google Cloud create dns peering without VPC peering in different GCP projects

2 Answers2