diff --git a/AUTHORS.md b/AUTHORS.md
index 4b8dd9e73..410e72030 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -68,6 +68,7 @@ Authors
 * [Daniel Convissor](https://github.com/convissor)
 * [Daniel "Drex" Drexler](https://github.com/aeturnum)
 * [Daniel Huang](https://github.com/dhuang)
+* [Daniel McMahon] (https://github.com/igloodan)
 * [Dave Guarino](https://github.com/daguar)
 * [David cz](https://github.com/dave-cz)
 * [David Dworken](https://github.com/ddworken)
diff --git a/certbot-dns-google/certbot_dns_google/__init__.py b/certbot-dns-google/certbot_dns_google/__init__.py
index 2cac34652..19f81c0c6 100644
--- a/certbot-dns-google/certbot_dns_google/__init__.py
+++ b/certbot-dns-google/certbot_dns_google/__init__.py
@@ -38,6 +38,19 @@ for an account with the following permissions:
 * ``dns.resourceRecordSets.list``
 * ``dns.resourceRecordSets.update``
 
+(The closest role is `dns.admin <https://cloud.google.com/dns/docs/
+access-control#dns.admin>`_).
+
+If the above permissions are assigned at the `resource level <https://cloud
+.google.com/dns/docs/zones/iam-per-resource-zones>`_, the same user must
+have, at the PROJECT level, the following permissions:
+
+* ``dns.managedZones.get``
+* ``dns.managedZones.list``
+
+(The closest role is `dns.reader <https://cloud.google.com/dns/docs/
+access-control#dns.reader>`_).
+
 Google provides instructions for `creating a service account <https://developers
 .google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount>`_ and
 `information about the required permissions <https://cloud.google.com/dns/access