Currently Google Cloud DNS does not have the ability to assign access by zone. So what I am trying to do is create an IAM condition to restrict the user(principal) to a specific managed zone.
I've tried the following conditions:
resource.name.extract('/managedZones/{name}').startsWith("my-zone-name")
resource.name.startsWith("projects/my-project-id/managedZones/my-zone-name")
As an alternative strategy I tried using tags with resource.matchTag and assigning a matching label to the DNS zones. This also does not appear to work.
DNS isn't listed under https://cloud.google.com/iam/docs/conditions-resource-attributes so I don't know whether it's a case of IAM not supporting conditions on Cloud DNS or if there is a problem with my expressions.
It turns out that IAM conditions do not yet support Cloud DNS per https://issuetracker.google.com/issues/69719982