Identity and Access Management (IAM)

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Google Cloud Datastore IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a user, giving the user certain permissions. For example, you can grant the datastore.indexAdmin role to a user and the user can create, modify, delete, list, or view indexes.

Permissions and Roles

This section summarizes the permissions and roles Cloud Datastore supports.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
allocateIds datastore.entities.allocateIds
beginTransaction datastore.databases.get
commit for an insert datastore.entities.create
commit for an upsert datastore.entities.create
datastore.entities.update
commit for an update datastore.entities.update
commit for a delete datastore.entities.delete
commit for a lookup datastore.entities.get

For a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics.
commit for a query datastore.entities.list
datastore.entities.get (if the query is not a keys-only query)

For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics.
lookup datastore.entities.get

For a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics.
rollback datastore.databases.get
runQuery datastore.entities.list
datastore.entities.get (if the query is not a keys-only query)

For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics.

Required Permissions for Metadata and Statistics

The following table lists permissions that the caller must have to call methods on Metadata and Statistics.

Method Required Permission(s)
lookup of entities with kind names matching __Stat_*__ datastore.statistics.get
runQuery using kinds with names matching __Stat_*__ datastore.statistics.get
datastore.statistics.list
runQuery using the kind __namespace__ datastore.namespaces.get
datastore.namespaces.list

Roles

With IAM, every API method in Cloud Datastore requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, owner, editor, and viewer, you can grant Cloud Datastore roles to the users of your project.

The following table lists the Cloud Datastore IAM roles. You can grant multiple roles to a user, group, or service account.

Role Permissions Description
roles/datastore.owner
with
roles/appengine.appAdmin
appengine.applications.get
datastore.databases.*
datastore.entities.*
datastore.indexes.*
datastore.namespaces.*
datastore.operations.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Full access to Cloud Datastore.
roles/datastore.owner
without
roles/appengine.appAdmin
appengine.applications.get
datastore.databases.*
datastore.entities.*
datastore.indexes.*
datastore.namespaces.*
datastore.operations.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Full access to Cloud Datastore except the user, group, or service account cannot:
roles/datastore.user appengine.applications.get
datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list
Read/write access to data in a Cloud Datastore database. Intended for application developers and service accounts.
roles/datastore.viewer appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.get
datastore.statistics.list
resourcemanager.projects.get
resourcemanager.projects.list
Read access to all Cloud Datastore resources.
roles/datastore.importExportAdmin appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Full access to manage imports and exports.
roles/datastore.indexAdmin appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Full access to manage index definitions.

Permissions

The following table lists the permissions that Cloud Datastore supports.

Database permission name Description
datastore.databases.create Create a database.
datastore.databases.delete Delete a database.
datastore.databases.export Export entities from a database.
datastore.databases.get Begin or rollback a transaction.
Read metadata from a database.
datastore.databases.getIamPolicy Read the IAM policy for a database.
datastore.databases.import Import entities into a database.
datastore.databases.list List the databases in a project.
datastore.databases.setIamPolicy Update the IAM policy for a database.
datastore.databases.update Update a database.
Entity permission name Description
datastore.entities.allocateIds Allocate IDs for keys with an incomplete key path.
datastore.entities.create Create an entity.
datastore.entities.delete Delete an entity.
datastore.entities.get Read an entity.
datastore.entities.list List the keys of entities in a project.
(datastore.entities.get is required to access the entity data.)
datastore.entities.update Update an entity.
Index permission name Description
datastore.indexes.create Create an index.
datastore.indexes.delete Delete an index.
datastore.indexes.get Read metadata from an index.
datastore.indexes.list List the indexes in a project.
datastore.indexes.update Update an index.
Namespace permission name Description
datastore.namespaces.get Retrieve metadata from a namespace.
datastore.namespaces.getIamPolicy Read the IAM policy for a namespace.
datastore.namespaces.list List the namespaces in a project.
datastore.namespaces.setIamPolicy Update the IAM policy for a namespace.
Operation permission name Description
datastore.operations.cancel Cancel a long-running operation.
datastore.operations.delete Delete a long-running operation.
datastore.operations.get Gets the latest state of a long-running operation.
datastore.operations.list List long-running operations.
Project permission name Description
resourcemanager.projects.get Browse resources in the project.
resourcemanager.projects.list List owned projects.
Statistics permission name Description
datastore.statistics.get Retrieve statistics entities.
datastore.statistics.list List the keys of statistics entities.
(datastore.statistics.get is required to access the statistics entity data.)
App Engine permission name Description
appengine.applications.get Read-only access to all App Engine application configuration and settings.

Role change latency

Cloud Datastore caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.

Managing Cloud Datastore IAM

You can get and set IAM policies using the Google Cloud Platform Console, the IAM methods, or the gcloud command-line tool.

What's next

Send feedback about...

Cloud Datastore Documentation