Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to prepare your AlloyDB for PostgreSQL instance to let database
authentication through Identity and Access Management (IAM).
IAM authentication complements database authentication through
standard PostgreSQL users, which
every AlloyDB cluster supports. If you enable
IAM authentication on your cluster, then you can use either
IAM or PostgreSQL user roles to authenticate with that cluster.
By default, an AlloyDB instance does not have IAM
authentication enabled. To enable IAM authentication, complete
the following steps:
You can repeat step two to give an IAM account access to other
clusters inside your project.
Update an IAM account with the appropriate role
You can give IAM users or service accounts the ability to
authenticate with AlloyDB instances by granting them the
following IAM roles:
alloydb.databaseUser: Lets the user connect to your
AlloyDB instance.
serviceusage.serviceUsageConsumer: Provides the user access to an API that
checks permissions.
To do this, follow the instructions on
Grant access to other users. In the
step where you select a role to grant to the IAM principal,
choose alloydb.databaseUser.
Click the name of the cluster that you want to add a user to.
Click Users.
Click Add user account.
Select Cloud IAM.
In the Principal field, enter the IAM principal.
For an IAM user account, supply the user account's full email
address. For example, kai@altostrat.com.
For an IAM service account, supply the service account's address
without the .gserviceaccount.com suffix. For
example, to specify the service account
my-service@my-project.iam.gserviceaccount.com, you
would use the value my-service@my-project.iam here.
To assign roles other than the default alloydbsuperuser to the user, follow these steps:
Enter the name of the role in Roles.
To add the role, press Enter or Tab.
Select x for any role that you want to remove for that user.
USERNAME: Identifier for the IAM user
that you want to add as a new database user.
For an IAM user account, supply the user account's full email
address. For example, kai@altostrat.com.
For an IAM service account, supply the service account's address
without the .gserviceaccount.com suffix. For
example, to specify the service account
my-service@my-project.iam.gserviceaccount.com, you
would use the value my-service@my-project.iam here.
CLUSTER: ID of the cluster to create this database
user account within.
REGION: ID of the region where the cluster resides.
For example, us-central1.
Grant appropriate database permissions to IAM users
When an IAM user is added to a database instance, that new user
is granted no privileges on any databases by default.
When a user or service account connects to a database, they can run queries
against any database objects whose access has been granted to
PUBLIC.
USERNAME: Identifier of the IAM user
that you want to remove from the cluster.
For an IAM user account, supply the user account's full email
address. For example, kai@altostrat.com.
For an IAM service account, supply the service account's address
without the .gserviceaccount.com suffix. For
example, to specify the service account
my-service@my-project.iam.gserviceaccount.com, you
would use the value my-service@my-project.iam here.
CLUSTER: ID of the cluster to remove this user from.
REGION: ID of the region where the cluster resides.
For example, us-central1.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis guide outlines how to enable and manage Identity and Access Management (IAM) authentication for AlloyDB for PostgreSQL instances, which can be used in addition to standard PostgreSQL user authentication.\u003c/p\u003e\n"],["\u003cp\u003eEnabling IAM authentication requires manually setting the \u003ccode\u003ealloydb.iam_authentication\u003c/code\u003e flag to \u003ccode\u003eon\u003c/code\u003e for each instance that needs it, with \u003ccode\u003eoff\u003c/code\u003e being the default setting.\u003c/p\u003e\n"],["\u003cp\u003eGranting IAM users or service accounts access involves assigning them the \u003ccode\u003ealloydb.databaseUser\u003c/code\u003e and \u003ccode\u003eserviceusage.serviceUsageConsumer\u003c/code\u003e roles, and creating a corresponding database user within the AlloyDB cluster.\u003c/p\u003e\n"],["\u003cp\u003eYou can add IAM users or service accounts to a cluster by using the Google Cloud Console or the gcloud command-line interface, supplying either the full email address or the service account name without the \u003ccode\u003e.gserviceaccount.com\u003c/code\u003e suffix.\u003c/p\u003e\n"],["\u003cp\u003eAfter adding IAM users, administrators must use PostgreSQL's \u003ccode\u003eGRANT\u003c/code\u003e command to give users any necessary database privileges beyond the default public access, and use the console or the gcloud to remove them.\u003c/p\u003e\n"]]],[],null,["This page explains how to prepare your AlloyDB for PostgreSQL instance to let database\nauthentication through Identity and Access Management (IAM).\n\nIAM authentication complements database authentication through\n[standard PostgreSQL users](/alloydb/docs/database-users/manage-roles), which\nevery AlloyDB cluster supports. If you enable\nIAM authentication on your cluster, then you can use either\nIAM or PostgreSQL user roles to authenticate with that cluster.\n\nBy default, an AlloyDB instance does not have IAM\nauthentication enabled. To enable IAM authentication, complete\nthe following steps:\n\n- [Manually enable IAM authentication](#enable) on every\n instance that IAM user or service accounts need to connect\n to.\n\n- For every IAM user or service account that needs to sign in\n as a database user, complete the following steps:\n\n 1. Using IAM administrator tools,\n [grant that user or service account](#role) the `alloydb.databaseUser`\n and `serviceusage.serviceUsageConsumer` roles.\n\n 2. Using the Google Cloud CLI, [create a database user](#create-user)\n corresponding to that user or service account on your\n AlloyDB cluster.\n\n 3. Using a database administrator account such as `postgres`,\n [grant the new database user access privileges](#grant-privileges) to\n the appropriate database tables.\n\nYou can repeat these steps whenever you need to add further IAM\nusers to your AlloyDB cluster.\n\nEnable or disable IAM authentication\n\nTo enable IAM authentication on an instance, set\n[the `alloydb.iam_authentication` flag](/alloydb/docs/reference/alloydb-flags#alloydb.iam_authentication)\non that instance to `on`.\n\nTo disable IAM authentication on an instance, set\n`alloydb.iam_authentication` back to its default value, `off`.\n\nFor more information about setting flags on AlloyDB instances,\nsee\n[Configure an instance's database flags](/alloydb/docs/instance-configure-database-flags).\n\nGrant an IAM user or service account access to an instance\n\nEnabling IAM access to a new database user is a two-step process:\n\n1. [Update your project's IAM settings](#enable) to grant\n AlloyDB database access to the appropriate IAM\n user or service account.\n\n2. [Create a new database user on your cluster](#create-user), setting the\n username as the email address of the IAM user or service\n account.\n\nYou can repeat step two to give an IAM account access to other\nclusters inside your project.\n\nUpdate an IAM account with the appropriate role\n\nYou can give IAM users or service accounts the ability to\nauthenticate with AlloyDB instances by granting them the\nfollowing IAM roles:\n\n- `alloydb.databaseUser`: Lets the user connect to your AlloyDB instance.\n- `serviceusage.serviceUsageConsumer`: Provides the user access to an API that checks permissions.\n\nTo do this, follow the instructions on\n[Grant access to other users](/alloydb/docs/user-grant-access#procedure). In the\nstep where you select a role to grant to the IAM principal,\nchoose `alloydb.databaseUser`.\n\nAdd an IAM user or service account to a cluster \n\nConsole\n\n1. Go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n2. Click the name of the cluster that you want to add a user to.\n\n3. Click **Users**.\n\n4. Click **Add user account**.\n\n5. Select **Cloud IAM**.\n\n6. In the **Principal** field, enter the IAM principal.\n\n\n For an IAM user account, supply the user account's full email\n address. For example, `kai@altostrat.com`.\n\n For an IAM service account, supply the service account's address\n *without* the `.gserviceaccount.com` suffix. For\n example, to specify the service account\n `my-service@my-project.iam.gserviceaccount.com`, you\n would use the value `my-service@my-project.iam` here.\n7. To assign roles other than the default `alloydbsuperuser` to the user, follow these steps:\n\n 1. Enter the name of the role in **Roles**.\n 2. To add the role, press \u003ckbd\u003eEnter\u003c/kbd\u003e or \u003ckbd\u003eTab\u003c/kbd\u003e.\n 3. Select **x** for any role that you want to remove for that user.\n\n For more information, see [Predefined roles](/alloydb/docs/database-users/overview#predefined-roles)\n8. Click **Add**.\n\ngcloud\n\nTo create a PostgreSQL database user based on an IAM user or\nservice account, use\n[the `gcloud alloydb users create` command](/sdk/gcloud/reference/alloydb/users/create). \n\n gcloud alloydb users create \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --type=IAM_BASED\n\nReplace the following variables:\n\n- \u003cvar translate=\"no\"\u003eUSERNAME\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: Identifier for the IAM user\n that you want to add as a new database user.\n\n\n For an IAM user account, supply the user account's full email\n address. For example, `kai@altostrat.com`.\n\n For an IAM service account, supply the service account's address\n *without* the `.gserviceaccount.com` suffix. For\n example, to specify the service account\n `my-service@my-project.iam.gserviceaccount.com`, you\n would use the value `my-service@my-project.iam` here.\n- \u003cvar translate=\"no\"\u003eCLUSTER\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: ID of the cluster to create this database\n user account within.\n\n- \u003cvar translate=\"no\"\u003eREGION\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: ID of the region where the cluster resides.\n For example, `us-central1`.\n\nGrant appropriate database permissions to IAM users\n\nWhen an IAM user is added to a database instance, that new user\nis granted no privileges on any databases by default.\n\nWhen a user or service account connects to a database, they can run queries\nagainst any database objects whose access has been granted to\n[PUBLIC](https://www.postgresql.org/docs/16/ddl-priv.html).\n\nIf they need additional access, more privileges can be granted using the\n[`GRANT` PostgreSQL statement](https://www.postgresql.org/docs/16/sql-grant.html). \n\n GRANT SELECT ON \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-k\"\u003eTABLE_NAME\u003c/span\u003e\u003c/var\u003e TO \"\u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e\";\n\nReplace the following variables:\n\n- \u003cvar translate=\"no\"\u003eUSERNAME\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: Email address for the user. You must include\n double quotes around the address.\n\n- \u003cvar translate=\"no\"\u003eTABLE_NAME\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: Name of the table you want to give the user\n access to.\n\nRemove an IAM user or service account from a cluster \n\nConsole\n\n1. Go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n2. Click the name of the cluster you want to remove the user from.\n\n3. Click **Users**.\n\n4. On the row representing the user you want to remove, click\n more_vert **Open actions for this\n user**.\n\n5. Select **Remove**.\n\n6. In the **Remove user account?** dialog, click **Remove**.\n\ngcloud\n\nUse\n[the `gcloud alloydb users delete` command](/sdk/gcloud/reference/alloydb/users/delete). \n\n gcloud alloydb users delete \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eUSERNAME\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: Identifier of the IAM user\n that you want to remove from the cluster.\n\n\n For an IAM user account, supply the user account's full email\n address. For example, `kai@altostrat.com`.\n\n For an IAM service account, supply the service account's address\n *without* the `.gserviceaccount.com` suffix. For\n example, to specify the service account\n `my-service@my-project.iam.gserviceaccount.com`, you\n would use the value `my-service@my-project.iam` here.\n- \u003cvar translate=\"no\"\u003eCLUSTER\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: ID of the cluster to remove this user from.\n\n- \u003cvar translate=\"no\"\u003eREGION\u003cvar translate=\"no\"\u003e\u003c/var\u003e\u003c/var\u003e: ID of the region where the cluster resides.\n For example, `us-central1`.\n\nWhat's next\n\n- [Connect using an IAM account](/alloydb/docs/connect-iam)"]]
