Access Control

This page describes the access control options that are available to you in Cloud Bigtable.

Overview

Cloud Bigtable uses Google Cloud Identity and Access Management (IAM) for access control.

For Cloud Bigtable, you can configure access control at the project level. For example, you can grant the ability to:

  • Read from, but not write to, any table within the project.
  • Read from and write to any table within the project, but not manage instances.
  • Read from and write to any table within the project, and manage instances.

For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see Granting, Changing, and Revoking Access to Project Members.

For lists of the permissions and roles that Cloud Bigtable supports, see the following sections.

Enabling the Cloud Bigtable API

In order to view and assign Cloud Bigtable IAM roles, you must enable the Cloud Bigtable API for your project. You will not be able to see the Cloud Bigtable roles in the Cloud Platform Console until you enable the API.

Enable the API

Permissions

This section summarizes the permissions that Cloud Bigtable supports.

Permissions allow users to perform specific actions on Cloud Bigtable resources. For example, the bigtable.instances.list permissions allows users to list all of the Cloud Bigtable instances within a project. You don't grant permissions to users directly; instead, you assign each user a predefined role or custom role, which grants one or more permissions.

The following tables list the IAM permissions that are associated with Cloud Bigtable:

Instance permission name Description
bigtable.instances.create Create a Cloud Bigtable instance.
bigtable.instances.delete Delete a Cloud Bigtable instance.
bigtable.instances.get Get information about a Cloud Bigtable instance.
bigtable.instances.list List a project's Cloud Bigtable instances.
bigtable.instances.update Update the settings for a Cloud Bigtable instance.
Cluster permission name Description
bigtable.clusters.create Create a Cloud Bigtable cluster.
bigtable.clusters.delete Delete a Cloud Bigtable cluster.
bigtable.clusters.get Get information about a Cloud Bigtable cluster.
bigtable.clusters.list List an instance's Cloud Bigtable clusters.
bigtable.clusters.update Update the settings for a Cloud Bigtable cluster.
Table permission name Description
bigtable.tables.create Create a table.
bigtable.tables.delete Delete a table.
bigtable.tables.get Get information about a table.
bigtable.tables.list List tables in an instance.
bigtable.tables.mutateRows Modify rows within a table, or truncate the table.
bigtable.tables.readRows Read rows from a table.
bigtable.tables.sampleRowKeys Get a sample of the row keys that are used in a table.
bigtable.tables.update Update the settings for a table.
Column family permission name Description
bigtable.columnfamilies.create Create a column family.
bigtable.columnfamilies.delete Delete a column family.
bigtable.columnfamilies.get Get information about a column family.
bigtable.columnfamilies.list List the column families within a table.
bigtable.columnfamilies.update Update the settings for a column family.

Predefined roles

Each predefined role is a bundle of one or more permissions. For example, roles/bigtable.reader provides read-only access to information about Cloud Bigtable instances, clusters, tables, and column families, as well as the data contained within your tables. You assign roles to users or groups, which allows them to perform actions on the resources in your project.

The following table lists the predefined roles for Cloud Bigtable, including a list of the permissions associated with each role:

Role Permissions Description
roles/bigtable.admin

Access to all Cloud Bigtable features:

bigtable.*.*

View access to monitoring graphs in the Cloud Platform Console:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list

Access to project-level metadata:

resourcemanager.projects.get

Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.
roles/bigtable.user

Read-only access to metadata for instances, clusters, tables, and column families:

  • bigtable.*.get
  • bigtable.*.list

Read-write access to tables:

  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys

View access to monitoring graphs in the Cloud Platform Console:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list

Access to project-level metadata:

resourcemanager.projects.get

Provides read-write access to the data stored within tables. Intended for application developers or service accounts.
roles/bigtable.reader

Read-only access to metadata for instances, clusters, tables, and column families:

  • bigtable.*.get
  • bigtable.*.list

Read-only access to tables:

  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys

View access to monitoring graphs in the Cloud Platform Console:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list

Access to project-level metadata:

resourcemanager.projects.get

Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.
roles/bigtable.viewer

Read-only access to metadata for instances, clusters, tables, and column families:

  • bigtable.*.get
  • bigtable.*.list

View access to monitoring graphs in the Cloud Platform Console:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list

Access to project-level metadata:

resourcemanager.projects.get

Provides no data access. Intended to be used as a minimal set of permissions to access the Cloud Platform Console for Cloud Bigtable.

Custom roles

If the predefined roles for Cloud Bigtable do not address your business requirements, you can define your own custom roles with permissions that you specify.

If your custom role needs to support access to the Cloud Platform Console, you must identify the tasks that users will perform, then ensure that the custom role has the required permissions for each task, as shown in the table below. If a custom role does not have all of the required permissions for a task, and a user tries to perform that task, the Cloud Platform Console will not work correctly.

Cloud Platform Console task Required permissions
Basic access to the Cloud Platform Console
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • resourcemanager.projects.get
Create an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.create
  • bigtable.instances.create
Modify an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.update
  • bigtable.instances.update
Delete an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.delete
  • bigtable.instances.delete
Monitor an instance by viewing graphs

Basic access permissions, plus:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list

Cloud Bigtable IAM management

You can grant, change, and revoke access to project members using the Google Cloud Platform Console, the IAM API, or the gcloud command-line tool. See Granting, Changing, and Revoking Access to Project Members for detailed instructions.

What's next

Learn more about Google Cloud Identity and Access Management.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Bigtable Documentation