diff --git a/providers/dns/gcloud/googlecloud.go b/providers/dns/gcloud/googlecloud.go
index d81cca02b19..ff9fb6f077f 100644
--- a/providers/dns/gcloud/googlecloud.go
+++ b/providers/dns/gcloud/googlecloud.go
@@ -32,9 +32,9 @@ const (
 
 	EnvServiceAccount   = envNamespace + "SERVICE_ACCOUNT"
 	EnvProject          = envNamespace + "PROJECT"
+	EnvZoneID           = envNamespace + "ZONE_ID"
 	EnvAllowPrivateZone = envNamespace + "ALLOW_PRIVATE_ZONE"
 	EnvDebug            = envNamespace + "DEBUG"
-	EnvZoneID           = envNamespace + "ZONE_ID"
 
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
@@ -45,6 +45,7 @@ const (
 type Config struct {
 	Debug              bool
 	Project            string
+	ZoneID             string
 	AllowPrivateZone   bool
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
@@ -56,6 +57,7 @@ type Config struct {
 func NewDefaultConfig() *Config {
 	return &Config{
 		Debug:              env.GetOrDefaultBool(EnvDebug, false),
+		ZoneID:             env.GetOrDefaultString(EnvZoneID, ""),
 		AllowPrivateZone:   env.GetOrDefaultBool(EnvAllowPrivateZone, false),
 		TTL:                env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
 		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 180*time.Second),
@@ -309,6 +311,30 @@ func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
 	return d.config.PropagationTimeout, d.config.PollingInterval
 }
 
+// getHostedZone returns the managed-zone.
+func (d *DNSProvider) getHostedZone(domain string) (string, error) {
+	authZone, zones, err := d.lookupHostedZoneID(domain)
+	if err != nil {
+		return "", err
+	}
+
+	if len(zones) == 0 {
+		return "", fmt.Errorf("no matching domain found for domain %s", authZone)
+	}
+
+	for _, z := range zones {
+		if z.Visibility == "public" || z.Visibility == "" || (z.Visibility == "private" && d.config.AllowPrivateZone) {
+			return z.Name, nil
+		}
+	}
+
+	if d.config.AllowPrivateZone {
+		return "", fmt.Errorf("no public or private zone found for domain %s", authZone)
+	}
+
+	return "", fmt.Errorf("no public zone found for domain %s", authZone)
+}
+
 // lookupHostedZoneID finds the managed zone ID in Google.
 //
 // Be careful here.
@@ -321,20 +347,20 @@ func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
 //	(gcloud projects get-iam-policy $project_id) (a role with permission dns.managedZones.list)
 //
 // If we force a zone list to succeed, we demand more permissions than needed.
-func (d *DNSProvider) lookupHostedZoneID(domain string) (authZone string, gZones []*dns.ManagedZone, err error) {
+func (d *DNSProvider) lookupHostedZoneID(domain string) (string, []*dns.ManagedZone, error) {
 	// GCE_ZONE_ID override for service accounts to avoid needing zones-list permission
-	if zoneID := env.GetOrDefaultString(EnvZoneID, ""); zoneID != "" {
-		var gcloudZone *dns.ManagedZone
-		gcloudZone, err = d.client.ManagedZones.Get(d.config.Project, zoneID).Do()
+	if d.config.ZoneID != "" {
+		zone, err := d.client.ManagedZones.Get(d.config.Project, d.config.ZoneID).Do()
 		if err != nil {
-			return "", nil, fmt.Errorf("API call ManagedZones.Get for explicit zone-id %q in project %q failed: %w", zoneID, d.config.Project, err)
+			return "", nil, fmt.Errorf("API call ManagedZones.Get for explicit zone ID %q in project %q failed: %w", d.config.ZoneID, d.config.Project, err)
 		}
-		return gcloudZone.DnsName, []*dns.ManagedZone{gcloudZone}, nil
+
+		return zone.DnsName, []*dns.ManagedZone{zone}, nil
 	}
 
-	authZone, err = dns01.FindZoneByFqdn(dns01.ToFqdn(domain))
+	authZone, err := dns01.FindZoneByFqdn(dns01.ToFqdn(domain))
 	if err != nil {
-		return "", nil, fmt.Errorf("designate: could not find zone for FQDN %q: %w", domain, err)
+		return "", nil, fmt.Errorf("could not find zone for FQDN %q: %w", domain, err)
 	}
 
 	zones, err := d.client.ManagedZones.
@@ -348,30 +374,6 @@ func (d *DNSProvider) lookupHostedZoneID(domain string) (authZone string, gZones
 	return authZone, zones.ManagedZones, nil
 }
 
-// getHostedZone returns the managed-zone.
-func (d *DNSProvider) getHostedZone(domain string) (string, error) {
-	authZone, zones, err := d.lookupHostedZoneID(domain)
-	if err != nil {
-		return "", err
-	}
-
-	if len(zones) == 0 {
-		return "", fmt.Errorf("no matching domain found for domain %s", authZone)
-	}
-
-	for _, z := range zones {
-		if z.Visibility == "public" || z.Visibility == "" || (z.Visibility == "private" && d.config.AllowPrivateZone) {
-			return z.Name, nil
-		}
-	}
-
-	if d.config.AllowPrivateZone {
-		return "", fmt.Errorf("no public or private zone found for domain %s", authZone)
-	}
-
-	return "", fmt.Errorf("no public zone found for domain %s", authZone)
-}
-
 func (d *DNSProvider) findTxtRecords(zone, fqdn string) ([]*dns.ResourceRecordSet, error) {
 	recs, err := d.client.ResourceRecordSets.List(d.config.Project, zone).Name(fqdn).Type("TXT").Do()
 	if err != nil {