Auth via a service-account JSON key (content, not a file path) or Application Default Credentials when the plugin runs on GCE/Cloud Run with attached identity. Uses gcp_auth to fetch bearer tokens per op.
Cloud DNS addresses records by (managedZone, name, type); the atomic Changes endpoint takes additions+deletions in one request, so upsert sends delete-old + add-new together. Zone resolution walks parent labels against /projects/{id}/managedZones and matches against the zone's dnsName (trailing-dot-aware).
Options schema: project_id (non-secret, required) and service_account_json (secret, optional, falls back to ADC when omitted).