Grant AlloyDB access to other users

This page describes how to grant a Google Cloud user account or service account access to AlloyDB resources in a project.

Depending on the scope of control you want the account to have, you grant it one of these predefined IAM roles:

  • roles/alloydb.admin to grant full control for all AlloyDB resources
  • roles/alloydb.viewer to grant read-only access to all AlloyDB resources
  • roles/alloydb.client to grant connectivity access to AlloyDB instances from clients connecting with the AlloyDB Auth proxy

For detailed information about the specific IAM permissions these roles provide, see Predefined AlloyDB IAM roles.

Prerequisites

  • The Cloud project you are using must have been enabled to access AlloyDB.
  • You must have the roles/owner (Owner) basic IAM role in the Cloud project you are using, or a role that grants these permissions:
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.setIamPolicy

    To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin) role.

  • Enable the Resource Manager API in the Cloud project you are using.

    Enable the API

Procedure

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI (version 383.0.1 or later), or you can use Cloud Shell.

Use the add-iam-policy-binding command to grant an AlloyDB predefined role to an IAM principal (user account or service account).

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role=ALLOYDB_ROLE
  • PROJECT_ID: The ID of the project enabled to access AlloyDB.
  • PRINCIPAL: The type and email ID (email address) of the principal:
    • For user accounts: user:EMAIL_ID
    • For service accounts: serviceAccount:EMAIL_ID
  • ALLOYDB_ROLE: The value roles/alloydb.admin, roles/alloydb.viewer, or roles/alloydb.client, depending on the role you want to grant the principal. For details about the permissions these roles grant, see Predefined AlloyDB IAM roles.