Applying IAM Roles

This page describes how to grant Cloud Spanner IAM permissions for a database, instance, or Google Cloud Platform project to an account.

For information on GCP roles, see Understanding Roles, and for more information on Cloud Spanner roles, see Access Control: Roles.

Database-level permissions

Verify that you can add permissions

Before you attempt to apply database-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project, instance, or database level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select your project in the drop-down list in the toolbar.

  3. Select Members as the View by option.
  4. Find your account in the list. If your account is listed as Owner or Editor in the Role column, you have sufficient permissions. If not, continue to the next step.
  5. Go to the Cloud Spanner Instances page.

    Go to the Cloud Spanner instances page

  6. Select the checkbox for the instance that contains your database.
    The Info panel appears on the right-hand side of the page.

  7. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin or Cloud Spanner Database Admin, you have sufficient permissions. If not, continue to the next step.
  8. Click on the instance name to go to the Instance details page.
  9. Click Show Info panel on the right-hand side of the page.
  10. In the Overview tab of the page, select the checkbox for your database.
  11. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Database Admin, you have sufficient permissions.

If you do not have sufficient permissions at the project, instance, or database level, ask the project's owner to grant you additional permissions.

Add database-level permissions

Use the following steps to apply roles for Cloud Spanner to an individual database in a project.

  1. Go to the Cloud Spanner Instances page.

    Go to the Cloud Spanner instances page

  2. Select your project in the drop-down list in the toolbar.

  3. Click the name of the instance that contains your database to go to the Instance details page.
  4. In the Overview tab, select the checkbox for your database.
    The Info panel appears.
  5. Click the Permissions tab in the Info panel.
  6. In the Add members box in the Info panel, enter the email address for the account that you want to add.
  7. Select one or more roles in the drop-down list.
  8. Click Add.

Instance-level permissions

Verify that you can add permissions

Before you attempt to apply instance-level permissions at the instance level, check that you have sufficient permissions to apply roles to another account. You need permissions at the project or instance level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select your project in the drop-down list in the toolbar.

  3. Select Members as the View by option.
  4. Find your account in the list. If your account is listed as Owner or Editor in the Role column, you have sufficient permissions. If not, continue to the next step.
  5. Go to the Cloud Spanner Instances page.

    Go to the Cloud Spanner instances page

  6. Select the checkbox for the instance.
    The Info panel appears on the right-hand side of the page.

  7. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Database Admin, you have sufficient permissions.

If you do not have sufficient permissions at the project or instance level, ask the project's owner to grant you additional permissions.

Add instance-level permissions

Use the following steps to apply roles for Cloud Spanner to an instance in a project.

  1. Go to the Cloud Spanner Instances page.

    Go to the Cloud Spanner instances page

  2. Select your project in the drop-down list in the toolbar.

  3. Select the checkbox for the instance.
    The Info panel appears on the right-hand side of the page.
  4. Click the Permissions tab in the Info panel.
  5. In the Add members box in the Info panel, enter the email address for the account that you want to add.
  6. Select one or more roles in the drop-down list.
  7. Click Add.

Project-level permissions

You can also grant IAM permissions for an entire GCP project to an account in the IAM page of the GCP Console. Adding permissions at the project level grants the IAM permissions to an account for all Cloud Spanner instances and databases in the project.

Verify that you can add permissions

Before you attempt to apply project-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select your project in the drop-down list in the toolbar.

  3. Select Members as the View by option.
  4. Find your account in the list. If your account is listed as Owner or Editor in the Role column, you have sufficient permissions.

If you do not have sufficient permissions at the project level, ask the project's owner to grant you additional permissions.

Add project-level permissions to accounts that already have project-level permissions

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select your project in the drop-down list in the toolbar.

  3. Select Members as the View by option.
  4. Find the account in the list and click Edit Screenshot of edit UI element.
  5. On the Edit permissions page, click Add Another Role.
  6. Select a role in the drop-down list.
  7. Click Save.

Add project-level permissions to accounts that do not already have project-level permissions

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select your project in the drop-down list in the toolbar.

  3. Click the Add button below the toolbar.
  4. In the New members box, enter the email for the account that you want to add.
  5. Select a role in the drop-down list.
  6. Click Save.

For more information, see Granting, Changing, and Revoking Access.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Spanner Documentation