This page lists the IAM predefined roles and permissions for AlloyDB.
In order to assign these roles and permissions to an IAM account:
-
The Cloud Resource Manager API must be enabled in the Google Cloud project.
- You must have the
roles/owner(Owner) basic IAM role in the Google Cloud project, or a role that grants these permissions:resourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.setIamPolicy
To gain these permissions while following the principle of least privilege, ask your administrator to grant you the
roles/resourcemanager.projectIamAdmin(Project IAM Admin) role.
Predefined AlloyDB IAM roles
The following table lists the predefined roles available for AlloyDB, along with their AlloyDB permissions:
| Predefined role name | Description AlloyDB permissions |
|---|---|
roles/alloydb.adminCloud AlloyDB Admin |
Full control for all AlloyDB resources. alloydb.* |
roles/alloydb.clientCloud AlloyDB Client |
Connectivity access to AlloyDB instances from clients. alloydb.clusters.generateClientCertificatealloydb.clusters.getalloydb.instances.connectalloydb.instances.get |
roles/alloydb.databaseUserCloud AlloyDB Database User |
Authenticated database-user access to AlloyDB instances. alloydb.clusters.getalloydb.instances.getalloydb.users.loginalloydb.instances.executeSql |
roles/alloydb.viewerCloud AlloyDB Viewer |
Read-only access to all AlloyDB resources. alloydb.*.getalloydb.*.getIamPolicyalloydb.*.list |
AlloyDB IAM permissions and their roles
The following table lists each permission that AlloyDB supports and the predefined AlloyDB roles that include it.
| Permission | AlloyDB roles |
|---|---|
alloydb.backups.create |
Cloud AlloyDB Admin |
alloydb.backups.createTagBinding |
Cloud AlloyDB Admin |
alloydb.backups.delete |
Cloud AlloyDB Admin |
alloydb.backups.deleteTagBinding |
Cloud AlloyDB Admin |
alloydb.backups.get |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.getIamPolicy |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.listTagBindings |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.listEffectiveTags |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.setIamPolicy |
Cloud AlloyDB Admin |
alloydb.backups.update |
Cloud AlloyDB Admin |
alloydb.clusters.create |
Cloud AlloyDB Admin |
alloydb.clusters.createTagBinding |
Cloud AlloyDB Admin |
alloydb.clusters.delete |
Cloud AlloyDB Admin |
alloydb.clusters.deleteTagBinding |
Cloud AlloyDB Admin |
alloydb.clusters.failover |
Cloud AlloyDB Admin |
alloydb.clusters.generateClientCertificate |
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.clusters.get |
Cloud AlloyDB Admin Cloud AlloyDB Client Cloud AlloyDB Viewer |
alloydb.clusters.getIamPolicy |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.import |
Cloud AlloyDB Admin |
alloydb.clusters.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.listTagBindings |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.listEffectiveTags |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.setIamPolicy |
Cloud AlloyDB Admin |
alloydb.clusters.update |
Cloud AlloyDB Admin |
alloydb.databases.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.connect |
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.instances.create |
Cloud AlloyDB Admin |
alloydb.instances.delete |
Cloud AlloyDB Admin |
alloydb.instances.executeSql |
Cloud AlloyDB Admin Cloud AlloyDB Database User |
alloydb.instances.failover |
Cloud AlloyDB Admin |
alloydb.instances.get |
Cloud AlloyDB Admin Cloud AlloyDB Client Cloud AlloyDB Database User Cloud AlloyDB Viewer |
alloydb.instances.getIamPolicy |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.restart |
Cloud AlloyDB Admin |
alloydb.instances.setIamPolicy |
Cloud AlloyDB Admin |
alloydb.instances.update |
Cloud AlloyDB Admin |
alloydb.locations.get |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.locations.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.users.login |
Cloud AlloyDB Database User |
alloydb.operations.cancel |
Cloud AlloyDB Admin |
alloydb.operations.delete |
Cloud AlloyDB Admin |
alloydb.operations.get |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.operations.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.get |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.getIamPolicy |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.list |
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.setIamPolicy |
Cloud AlloyDB Admin |
alloydb.users.list |
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.users.get |
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.users.create |
Cloud AlloyDB Admin |
alloydb.users.update |
Cloud AlloyDB Admin |
alloydb.users.delete |
Cloud AlloyDB Admin |
alloydb.users.login |
Cloud AlloyDB Admin Cloud AlloyDB Database User |