IAM roles and permissions for AlloyDB

Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM predefined roles and permissions for AlloyDB.

In order to assign these roles and permissions to an IAM account:

  • The Resource Manager API must be enabled in the Cloud project.

    Enable the API

  • You must have the roles/owner (Owner) basic IAM role in the Cloud project, or a role that grants these permissions:
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.setIamPolicy

    To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin) role.

Predefined AlloyDB IAM roles

The following table lists the predefined roles available for AlloyDB, along with their AlloyDB permissions:

Predefined role name Description
AlloyDB permissions
roles/alloydb.admin
Cloud AlloyDB Admin

Full control for all AlloyDB resources.

alloydb.*
roles/alloydb.client
Cloud AlloyDB Client

Connectivity access to AlloyDB instances from clients.

alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
roles/alloydb.viewer
Cloud AlloyDB Viewer

Read-only access to all AlloyDB resources.

alloydb.*.get
alloydb.*.getIamPolicy
alloydb.*.list

AlloyDB IAM permissions and their roles

The following table lists each permission that AlloyDB supports and the predefined AlloyDB roles that include it.

Permission AlloyDB roles
alloydb.backups.create Cloud AlloyDB Admin
alloydb.backups.delete Cloud AlloyDB Admin
alloydb.backups.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.setIamPolicy Cloud AlloyDB Admin
alloydb.backups.update Cloud AlloyDB Admin
alloydb.clusters.create Cloud AlloyDB Admin
alloydb.clusters.delete Cloud AlloyDB Admin
alloydb.clusters.failover Cloud AlloyDB Admin
alloydb.clusters.generateClientCertificate Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.clusters.get Cloud AlloyDB Admin
Cloud AlloyDB Client
Cloud AlloyDB Viewer
alloydb.clusters.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.setIamPolicy Cloud AlloyDB Admin
alloydb.clusters.update Cloud AlloyDB Admin
alloydb.instances.connect Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.instances.create Cloud AlloyDB Admin
alloydb.instances.delete Cloud AlloyDB Admin
alloydb.instances.failover Cloud AlloyDB Admin
alloydb.instances.get Cloud AlloyDB Admin
Cloud AlloyDB Client
Cloud AlloyDB Viewer
alloydb.instances.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.instances.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.instances.restart Cloud AlloyDB Admin
alloydb.instances.setIamPolicy Cloud AlloyDB Admin
alloydb.instances.update Cloud AlloyDB Admin
alloydb.locations.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.locations.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.operations.cancel Cloud AlloyDB Admin
alloydb.operations.delete Cloud AlloyDB Admin
alloydb.operations.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.operations.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.setIamPolicy Cloud AlloyDB Admin