is there a way to have Google Cloud IAM Service account restricted to only one zone in Coud DNS? I want to use this for automatic ACME DNS-01 certificate issuing, but I do not want to add full control of all domains/zones. I tried to set Condition to Service account, but it did not work - zone names are probably not resources?
Docs says that lowest resource is Project, so only possibility to have acme challenge secured is to have separate Project with own service account for that domain? https://cloud.google.com/dns/docs/access-control
If you have a look to the Cloud DNS API, you can see that no API path contains a getIamPolicy or a setIamPolicy. This indicate that you can't define IAM permission at the resource level, but only at the project level: access or not to the whole API.
Thus you can't restrict the management of a zone to a dedicated service account. However, you can create another project and perform a DNS Peering on the manage zone that you want, and grant only the service account on this project.
