I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.
i.e.
https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization
If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.
i.e.
gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"
If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.
You can check that the default service account is still available for use:
Go to the Google Cloud Platform Console and click on ‘Products & Services’ which is the icon with the four bars at the top left hand corner.
On the menu go to the Products section and hover on ‘IAM & admin’ and then click on ‘Service accounts’ to see if the default service account hasn’t been deleted.
If the account is not there it explains why you can’t create a VM using this default service account.
You can try to recover a default service account in two ways:
You can disable and re-enable the Google Compute Engine API in your project. This will only work if you have no GCE resource (e.g VMs, Disks, Snapshots, etc) in your project, otherwise you will get "Backend Provisioning Error" when you try to disable Compute Engine API.
You can get another Compute Engine default Service Account by enabling for example the ‘Dataproc’ API:
Go to the Google Cloud Platform Console and click on ‘Products & Services’ which is the icon with the four bars at the top left hand corner.
On the menu go to the ‘Big Data’ section and click on ‘Dataproc’.
Click on Enable API and after a short time a new default service account will be created.
You can use this new default Service Account to work with.
Please note that previous resources created with the previously deleted service account might not function properly.
Another solution would be creating a new project and redeploying your instances there.
Best Answer
It happened on my project this morning. Disabling the Container Engine API and enabling it again should resolve the issue.