This page describes the access control options that are available to you in Cloud Bigtable.
Overview
Cloud Bigtable uses Google Cloud Identity and Access Management (IAM) for access control.
For Cloud Bigtable, you can configure access control at the project level and the instance level. Here are some examples of using access control at the project level:
- Allow a user to read from, but not write to, any table within the project.
- Allow a user to read from and write to any table within the project, but not manage instances.
- Allow a user to read from and write to any table within the project, and manage instances.
Here are some examples of using access control at the instance level:
- Allow a user to read from any table in a development instance, with no access to tables in a production instance.
- Allow a user to read from and write to any table in a development instance, and to read from any table in a production instance.
- Allow a user to manage a development instance, but not a production instance.
For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see Granting, Changing, and Revoking Access to Project Members.
For lists of the permissions and roles that Cloud Bigtable supports, see the following sections.
Enabling the Cloud Bigtable API
In order to view and assign Cloud Bigtable IAM roles, you must enable the Cloud Bigtable API for your project. You will not be able to see the Cloud Bigtable roles in the GCP Console until you enable the API.
Permissions
This section summarizes the permissions that Cloud Bigtable supports.
Permissions allow users to perform specific actions on Cloud Bigtable
resources. For example, the bigtable.instances.list permissions allows
users to list all of the Cloud Bigtable instances within a project. You
don't grant permissions to users directly; instead, you assign each user a
predefined role or custom role, which grants one or
more permissions.
The following tables list the IAM permissions that are associated with Cloud Bigtable:
| Location permission name | Description |
|---|---|
bigtable.locations.list |
List Cloud Bigtable locations. |
| Instance permission name | Description |
|---|---|
bigtable.instances.create |
Create a Cloud Bigtable instance. |
bigtable.instances.delete |
Delete a Cloud Bigtable instance. |
bigtable.instances.get |
Get information about a Cloud Bigtable instance. |
bigtable.instances.list |
List a project's Cloud Bigtable instances. |
bigtable.instances.update |
Update the settings for a Cloud Bigtable instance. |
| App profile permission name | Description |
|---|---|
bigtable.appProfiles.create |
Create a Cloud Bigtable app profile. |
bigtable.appProfiles.delete |
Delete a Cloud Bigtable app profile. |
bigtable.appProfiles.get |
Get information about a Cloud Bigtable app profile. |
bigtable.appProfiles.list |
List an instance's Cloud Bigtable app profiles. |
bigtable.appProfiles.update |
Update the settings for a Cloud Bigtable app profile. |
| Cluster permission name | Description |
|---|---|
bigtable.clusters.create |
Create a Cloud Bigtable cluster. |
bigtable.clusters.delete |
Delete a Cloud Bigtable cluster. |
bigtable.clusters.get |
Get information about a Cloud Bigtable cluster. |
bigtable.clusters.list |
List an instance's Cloud Bigtable clusters. |
bigtable.clusters.update |
Update the settings for a Cloud Bigtable cluster. |
| Table permission name | Description |
|---|---|
bigtable.tables.checkConsistency |
Check if a replicated table is up to date. |
bigtable.tables.create |
Create a table. |
bigtable.tables.delete |
Delete a table. |
bigtable.tables.generateConsistencyToken |
Generate token to check if a replicated table is up to date. |
bigtable.tables.get |
Get information about a table, including column families and their individual settings. |
bigtable.tables.list |
List tables in an instance. |
bigtable.tables.mutateRows |
Modify rows within a table, or truncate the table. |
bigtable.tables.readRows |
Read rows from a table. |
bigtable.tables.sampleRowKeys |
Get a sample of the row keys that are used in a table. |
bigtable.tables.update |
Update the settings for a table, including column families and their individual settings. |
Predefined roles
Each predefined role is a bundle of one or more permissions. For
example, roles/bigtable.reader provides read-only access to information about
Cloud Bigtable instances, clusters, tables, and column families, as well
as the data contained within your tables. You assign roles to users or groups,
which allows them to perform actions on the resources in your project.
The following table lists the predefined roles for Cloud Bigtable, including a list of the permissions associated with each role:
| Role | Permissions | Description |
|---|---|---|
roles/bigtable.admin |
Access to all Cloud Bigtable features:
View access to monitoring graphs in the GCP Console:
Access to project-level metadata:
|
Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. |
roles/bigtable.user |
Read-only access to metadata for instances, clusters, tables, and column families:
Read-write access to tables:
View access to monitoring graphs in the GCP Console:
Access to project-level metadata:
|
Provides read-write access to the data stored within tables. Intended for application developers or service accounts. |
roles/bigtable.reader |
Read-only access to metadata for instances, clusters, tables, and column families:
Read-only access to tables:
View access to monitoring graphs in the GCP Console:
Access to project-level metadata:
|
Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. |
roles/bigtable.viewer |
Read-only access to metadata for instances, clusters, tables, and column families:
View access to monitoring graphs in the GCP Console:
Access to project-level metadata:
|
Provides no data access. Intended as a minimal set of permissions to access the GCP Console for Cloud Bigtable. |
Custom roles
If the predefined roles for Cloud Bigtable do not address your business requirements, you can define your own custom roles with permissions that you specify.
If your custom role needs to support access to the GCP Console, you must identify the tasks that users will perform, then ensure that the custom role has the required permissions for each task, as shown in the table below. If a custom role does not have all of the required permissions for a task, and a user tries to perform that task, the GCP Console will not work correctly.
| GCP Console task | Required permissions |
|---|---|
| Basic access to the GCP Console |
|
| Create an instance or cluster |
Basic access permissions, plus:
|
| Modify an instance or cluster |
Basic access permissions, plus:
|
| Manage replication configuration |
Basic access permissions, plus:
|
| Delete an instance or cluster |
Basic access permissions, plus:
|
| Monitor an instance by viewing graphs |
Basic access permissions, plus:
|
Project-level IAM management
At the project level, you can grant, change, and revoke IAM roles using the
Google Cloud Platform Console, the IAM API, or the gcloud command-line tool. See
Granting, Changing, and Revoking Access to Project Members for
detailed instructions.
Instance-level IAM management
This section explains how to manage Cloud Bigtable IAM roles at the instance level.
Before you begin
Before you set instance-level IAM roles for a user, ensure that the user has at least one of the following project-level IAM roles:
- Bigtable Viewer (recommended)
- Bigtable Reader
- Bigtable User
- Bigtable Administrator
Choose a project-level role that has no more permissions than the user actually needs across all instances in the project. For this reason, you should grant the Bigtable Viewer role in almost all cases.
If the user does not have at least one of these project-level roles, the user will not have access to Cloud Bigtable through the GCP Console. The GCP Console requires one of these project-level roles so that it can retrieve information about instances and clusters on behalf of the user.
Granting instance-level IAM roles
At the instance level, you can grant any of Cloud Bigtable's predefined roles to a user or service account. You can also grant any custom roles that you have defined.
To grant a predefined or custom role to a user or service account at the instance level:
Go to the Cloud Bigtable instances page in the GCP Console.
Check the boxes next to the instances whose roles you want to manage. An information panel appears.
In the information panel, click Permissions.
Under Add members, start typing the email address of the user or service account you want to add, then click the email address of the user or service account.
Click the Select a role drop-down list, then click Cloud Bigtable to select a predefined role or Custom to select a custom role.
Click the name of each role that you want to assign.
Click Add. The user or service account is granted the roles that you specified at the instance level.
What's next
Learn more about Google Cloud Identity and Access Management.
