This page describes how to grant Spanner Identity and Access Management (IAM) permissions to an account for a Google Cloud project, instance, database, or backup.
For information on Google Cloud roles, see Understanding roles, and for more information on Spanner roles, see Access control: roles.
Project-level permissions
You can grant IAM permissions for an entire Google Cloud project to an account in the IAM page of the Google Cloud console. Adding permissions at the project level grants the IAM permissions to an account for all Spanner instances, databases, and backups in the project.
Verify that you can add permissions
Before you attempt to apply project-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project level.
Go to your project's IAM page.
Select Principals as the View by option.
Find your account in the list. If your account is listed as Owner or Editor in the Role column, you have sufficient permissions.
If you don't have sufficient permissions at the project level, ask the project's owner to grant you additional permissions.
Grant permissions to principals
Go to your project's IAM page.
Select Principals as the View by option.
Find the account in the list and click Edit .
On the Edit permissions page, click Add Another Role.
Select a role in the drop-down list.
Click Save.
Add principals to the project
Go to your project's IAM page.
Click the Add button below the toolbar.
In the New principals box, enter the email for the account that you want to add.
Select a role in the drop-down list.
Click Save.
For more information, see Granting, changing, and revoking access.
Instance-level permissions
You can grant instance-level IAM permissions to an account in the IAM page of the Google Cloud console.
Verify that you can add permissions
Before you attempt to apply instance-level permissions at the instance level, check that you have sufficient permissions to apply roles to another account. You need permissions at the project or instance level.
Go to your project's IAM page.
Select Principals as the View by option.
Find your account in the list. If your account is listed as Owner, Editor, or Cloud Spanner Admin in the Role column, you have sufficient permissions. If not, continue to the next step.
Go to the Spanner Instances page.
Select the checkbox for the instance.
In the Permissions tab of the Info panel, expand the principal lists and find your account. If your account is listed as Owner, Editor, or Spanner Admin, you have sufficient permissions.
If you don't have sufficient permissions at the project or instance level, ask the project's owner to grant you additional permissions.
Add instance-level permissions
Use the following steps to apply roles for Spanner to an instance in a project.
Go to the Spanner Instances page.
Select the checkbox for the instance.
Click the Permissions tab in the Info panel.
In the Add principals box in the Info panel, enter the email address for the account that you want to add.
Select one or more roles in the drop-down list.
Click Add.
Database-level permissions
You can grant database-level IAM permissions to an account in the IAM page of the Google Cloud console.
Verify that you can add permissions
Before you attempt to apply database-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project, instance, or database level.
Go to your project's IAM page.
Select Principals as the View by option.
Find your account in the list. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Database Admin in the Role column, you have sufficient permissions. If not, continue to the next step.
Go to the Spanner Instances page.
Select the checkbox for the instance that contains your database.
In the Permissions tab of the Info panel, expand the principal lists and find your account. If your account is listed as Owner, Editor, Spanner Admin or Spanner Database Admin, you have sufficient permissions. If not, continue to the next step.
Click the instance name to go to the Instance details page.
Click Show Info panel.
In the Overview tab of the page, select the checkbox for your database.
In the Permissions tab of the Info panel, expand the principal lists and find your account. If your account is listed as Owner, Editor, Spanner Admin, or Spanner Database Admin, you have sufficient permissions.
If you don't have sufficient permissions at the project, instance, or database level, ask the project's owner to grant you additional permissions.
Add database-level permissions
Follow these steps to grant access to database-level roles for a principal.
Go to the Spanner Instances page.
Click the name of the instance that contains your database to go to the Instance details page.
In the Overview tab, select the checkbox for your database.
The Info panel appears.Click Add principal.
In the Add principals panel, in New principals, enter the email address for the account that you want to add.
Select one or more roles in the drop-down list.
Click Save.
Remove database-level permissions
Follow these steps to remove database-level roles from a principal.
Go to the Spanner Instances page.
Click the name of the instance that contains your database to go to the Instance details page.
In the Overview tab, select the checkbox for your database.
The Info panel appears.In the Info panel, under Role/Principal, locate the database-level role that you want to remove, and expand it.
A list of principals who have this role is shown.
Click the trash icon adjacent to the principal from whom you want to remove the role.
In the confirmation dialog, select the checkbox and click REMOVE.
Backup-level permissions
You can grant backup-level IAM permissions to an account in the IAM page of the Google Cloud console.
Verify that you can add permissions
Before you attempt to apply backup-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project, instance, or backup.
Go to your project's IAM page.
Select Principals as the View by option.
Find your account in the list. If your account is listed as Owner, Editor, Cloud Spanner Admin, Cloud Spanner Backup Admin in the Role column, you have sufficient permissions. If not, continue to the next step.
Go to the Spanner Instances page.
Select the checkbox for the instance that contains your backup.
In the Permissions tab of the Info panel, expand the principal lists and find your account. If your account is listed as Owner, Editor, Spanner Admin or Spanner Backup Admin, you have sufficient permissions. If not, continue to the next step.
Click the instance name to go to the Instance details page.
Click the Backup/Restore tab and select your backup from the Backup table.
Click Show Info Panel.
In the Info Panel find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Backup Admin in the Role column, you have sufficient permissions.
If you don't have sufficient permissions at the project or instance level, ask the project's owner to grant you additional permissions.
Add backup-level permissions
Use the following steps to apply roles for Spanner to an individual backup in a project.
Go to the Spanner Instances page.
Click the name of the instance that contains your backup to go to the Instance details page.
In the Backup/Restore tab, select your backup.
The Info panel appears.Click the Permissions tab in the Info panel.
In the Add principals box in the Info panel, enter the email address for the account that you want to add.
Select one or more roles in the drop-down list.
Click Add.