dnswatchdog.iodocs
Provider Configuration

Google Cloud DNS

Connecting Google Cloud DNS as a DNS provider in DNS Watchdog.

Overview

Google Cloud DNS is a managed DNS service running on Google's infrastructure. DNS Watchdog connects via a service account to discover zones and sync records.

Authentication

Google Cloud DNS uses Workload Identity Federation to securely connect from AWS without static credentials:

FieldDescription
Project IDYour GCP project ID
Workload Identity Pool ProviderThe full provider resource name (e.g. projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID)
Service Account EmailThe email of the service account DNS Watchdog will impersonate (e.g. dnswatchdog@PROJECT_ID.iam.gserviceaccount.com)

Setup

Grant yourself the required roles

  1. Go to IAM & AdminIAM in the Google Cloud Console
  2. Click Grant Access and add the following roles to your user:
    • Workload Identity Pool Admin (roles/iam.workloadIdentityPoolAdmin)
    • Service Account Admin (roles/iam.serviceAccountAdmin)
    • Security Admin (roles/iam.securityAdmin)
    • Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
    • Tag Administrator (roles/resourcemanager.tagAdmin)
    • Tag User (roles/resourcemanager.tagUser)
    • DNS Administrator (roles/dns.admin)

Enable APIs

  1. Go to APIs & ServicesEnabled APIs & Services
  2. Enable the following APIs:
    • Identity and Access Management (IAM) API
    • IAM Service Account Credentials API
    • Cloud DNS API
    • Security Token Service API

Create a Workload Identity Pool

  1. Go to IAM & AdminWorkload Identity Federation
  2. Click Create Pool
  3. Set the name to aws-dnswatchdog and display name to DNS Watchdog, then click Continue

Add an AWS provider to the pool

  1. Select AWS as the provider type
  2. Set the provider ID to aws-729428183456 and display name to AWS 729428183456
  3. Enter 729428183456 as the AWS Account ID
  4. Under Attribute Mapping, configure:
    • google.subjectassertion.arn
    • attribute.aws_accountassertion.account
  5. Click Save

Create a service account

  1. Go to IAM & AdminService Accounts
  2. Click Create Service Account
  3. Set the name to dnswatchdog and display name to DNS Watchdog federated SA
  4. Click Create and Continue

Allow the AWS principal to impersonate the service account

  1. On the service account list, click the dnswatchdog service account
  2. Go to the Permissions tab and click Grant Access
  3. In the New principals field, enter: 
    principalSet://iam.googleapis.com/projects/YOUR_PROJECT_NUMBER/locations/global/workloadIdentityPools/aws-dnswatchdog/attribute.aws_account/729428183456
  4. Add both of these roles:
    • Workload Identity User (roles/iam.workloadIdentityUser)
    • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
  5. Click Save

Grant Cloud DNS permissions

  1. Go to IAM & AdminIAM
  2. Click Grant Access
  3. Enter the service account email (dnswatchdog@YOUR_PROJECT_ID.iam.gserviceaccount.com) as the principal
  4. Assign the DNS Administrator role (roles/dns.admin)
  5. Click Save

Get the provider resource name

  1. Go back to IAM & AdminWorkload Identity Federation
  2. Click the aws-dnswatchdog pool, then the aws-729428183456 provider
  3. Copy the Provider Resource Name — this is the STS audience value

Add the provider in DNS Watchdog

  1. In DNS Watchdog, go to SettingsProvidersAdd Provider
  2. Select Google Cloud DNS as the provider type
  3. Enter your Project ID, Workload Identity Pool Provider resource name, and Service Account Email

The Google Cloud DNS credentials form showing the Service Account JSON text area

  1. Choose your access mode (read-only or read-write)
  2. Click Save
# -------- config --------
PROJECT_ID="YOUR_PROJECT_ID_HERE"
ORG_ID="YOUR_ORG_ID_HERE"
PROJECT_NUMBER="YOUR_PROJECT_NUMBER_HERE"

ME="user:you@example.com"
POOL_ID="aws-dnswatchdog"
PROVIDER_ID="aws-729428183456"
AWS_ACCOUNT_ID="729428183456"
SA_NAME="dnswatchdog"
SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
SA_MEMBER="serviceAccount:${SA_EMAIL}"
ROLE="roles/dns.admin"

# -------- Ensure you've got the roles you need APIs --------
for ROLE in \
roles/iam.workloadIdentityPoolAdmin \
roles/iam.serviceAccountAdmin \
roles/iam.securityAdmin \
roles/serviceusage.serviceUsageAdmin \
roles/resourcemanager.tagAdmin \
roles/resourcemanager.tagUser \
roles/dns.admin
do
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="$ME" \
--role="$ROLE"
done

# -------- enable APIs --------
gcloud config set project "$PROJECT_ID"
gcloud services enable iam.googleapis.com iamcredentials.googleapis.com dns.googleapis.com sts.googleapis.com

# -------- create Workload Identity Pool --------
gcloud iam workload-identity-pools create "$POOL_ID" \
--location="global" \
--display-name="DNS Watchdog"

# -------- create AWS provider (trust AWS account) --------
gcloud iam workload-identity-pools providers create-aws "$PROVIDER_ID" \
--location="global" \
--workload-identity-pool="$POOL_ID" \
--account-id="$AWS_ACCOUNT_ID" \
--display-name="AWS ${AWS_ACCOUNT_ID}"

# -------- create service account --------
gcloud iam service-accounts create "$SA_NAME" \
--display-name="DNS Watchdog federated SA"

# -------- allow AWS account principal to impersonate the SA --------
MEMBER="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/attribute.aws_account/${AWS_ACCOUNT_ID}"

gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \
--role="roles/iam.workloadIdentityUser" \
--member="$MEMBER"

gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \
--role="roles/iam.serviceAccountTokenCreator" \
--member="$MEMBER"

# -------- add attribute mapping --------
gcloud iam workload-identity-pools providers update-aws aws-$AWS_ACCOUNT_ID \
--location=global \
--workload-identity-pool=$POOL_ID \
--project=$PROJECT_ID \
--attribute-mapping="google.subject=assertion.arn,attribute.aws_account=assertion.account"

# -------- grant Cloud DNS permissions  --------
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/dns.admin"

# -------- (optional) show the provider resource name (this is the STS audience) --------
gcloud iam workload-identity-pools providers describe "$PROVIDER_ID" \
--location="global" \
--workload-identity-pool="$POOL_ID" \
--format='value(name)'

echo "Project ID:                      $PROJECT_ID"
echo "Workload Identity Pool Provider: projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID"
echo "Service Account Email:           $SA_EMAIL"

Permissions

  • Read-only — assign the DNS Reader role (roles/dns.reader)
  • Read-write — assign the DNS Administrator role (roles/dns.admin)

Microsoft Azure DNS

Connecting Microsoft Azure DNS as a DNS provider in DNS Watchdog.

Vercara UltraDNS

Connecting Vercara UltraDNS as a DNS provider in DNS Watchdog.

On this page

OverviewAuthenticationSetupGrant yourself the required rolesEnable APIsCreate a Workload Identity PoolAdd an AWS provider to the poolCreate a service accountAllow the AWS principal to impersonate the service accountGrant Cloud DNS permissionsGet the provider resource nameAdd the provider in DNS WatchdogPermissions