Applying IAM roles

This page describes how to grant Cloud Spanner IAM permissions for a Google Cloud project, instance, database, or backup to an account.

For information on Google Cloud roles, see Understanding roles, and for more information on Cloud Spanner roles, see Access control: roles.

Project-level permissions

You can grant IAM permissions for an entire Google Cloud project to an account in the IAM page of the Cloud Console. Adding permissions at the project level grants the IAM permissions to an account for all Cloud Spanner instances, databases, and backups in the project.

Verify that you can add permissions

Before you attempt to apply project-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select Members as the View by option.

  3. Find your account in the list. If your account is listed as Owner or Editor in the Role column, you have sufficient permissions.

If you do not have sufficient permissions at the project level, ask the project's owner to grant you additional permissions.

Grant permissions to members

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select Members as the View by option.

  3. Find the account in the list and click Edit Screenshot of edit UI element.

  4. On the Edit permissions page, click Add Another Role.

  5. Select a role in the drop-down list.

  6. Click Save.

Add members to the project

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Click the Add button below the toolbar.

  3. In the New members box, enter the email for the account that you want to add.

  4. Select a role in the drop-down list.

  5. Click Save.

For more information, see Granting, changing, and revoking access.

Instance-level permissions

Verify that you can add permissions

Before you attempt to apply instance-level permissions at the instance level, check that you have sufficient permissions to apply roles to another account. You need permissions at the project or instance level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select Members as the View by option.

  3. Find your account in the list. If your account is listed as Owner, Editor, or Cloud Spanner Admin in the Role column, you have sufficient permissions. If not, continue to the next step.

  4. Go to the Cloud Spanner Instances page.

    Go to the instances page

  5. Select the checkbox for the instance.
    The Info panel appears on the right-hand side of the page.

  6. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, or Cloud Spanner Admin, you have sufficient permissions.

If you do not have sufficient permissions at the project or instance level, ask the project's owner to grant you additional permissions.

Add instance-level permissions

Use the following steps to apply roles for Cloud Spanner to an instance in a project.

  1. Go to the Cloud Spanner Instances page.

    Go to the instances page

  2. Select the checkbox for the instance.
    The Info panel appears on the right-hand side of the page.

  3. Click the Permissions tab in the Info panel.

  4. In the Add members box in the Info panel, enter the email address for the account that you want to add.

  5. Select one or more roles in the drop-down list.

  6. Click Add.

Database-level permissions

Verify that you can add permissions

Before you attempt to apply database-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project, instance, or database level.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select Members as the View by option.

  3. Find your account in the list. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Database Admin in the Role column, you have sufficient permissions. If not, continue to the next step.

  4. Go to the Cloud Spanner Instances page.

    Go to the instances page

  5. Select the checkbox for the instance that contains your database.
    The Info panel appears on the right-hand side of the page.

  6. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin or Cloud Spanner Database Admin, you have sufficient permissions. If not, continue to the next step.

  7. Click on the instance name to go to the Instance details page.

  8. Click Show Info panel on the right-hand side of the page.

  9. In the Overview tab of the page, select the checkbox for your database.

  10. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Database Admin, you have sufficient permissions.

If you do not have sufficient permissions at the project, instance, or database level, ask the project's owner to grant you additional permissions.

Add database-level permissions

Use the following steps to apply roles for Cloud Spanner to an individual database in a project.

  1. Go to the Cloud Spanner Instances page.

    Go to the instances page

  2. Click the name of the instance that contains your database to go to the Instance details page.

  3. In the Overview tab, select the checkbox for your database.
    The Info panel appears.

  4. Click the Permissions tab in the Info panel.

  5. In the Add members box in the Info panel, enter the email address for the account that you want to add.

  6. Select one or more roles in the drop-down list.

  7. Click Add.

Backup-level permissions

Verify that you can add permissions

Before you attempt to apply backup-level permissions, check that you have sufficient permissions to apply roles to another account. You need permissions at the project, instance, or backup.

  1. Go to your project's IAM page.

    Go to the IAM page

  2. Select Members as the View by option.

  3. Find your account in the list. If your account is listed as Owner, Editor, Cloud Spanner Admin, Cloud Spanner Backup Admin in the Role column, you have sufficient permissions. If not, continue to the next step.

  4. Go to the Cloud Spanner Instances page.

    Go to the instances page

  5. Select the checkbox for the instance that contains your backup.
    The Info panel appears on the right-hand side of the page.

  6. In the Permissions tab of the Info panel, expand the member lists and find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin or Cloud Spanner Backup Admin, you have sufficient permissions. If not, continue to the next step.

  7. Click on the instance name to go to the Instance details page.

  8. Click on the Backup/Restore tab and select your backup from the Backup table.

  9. Click Show Info Panel on the right.

  10. In the Info Panel find your account. If your account is listed as Owner, Editor, Cloud Spanner Admin, or Cloud Spanner Backup Admin in the Role column, you have sufficient permissions.

If you do not have sufficient permissions at the project or instance level, ask the project's owner to grant you additional permissions.

Add backup-level permissions

Use the following steps to apply roles for Cloud Spanner to an individual backup in a project.

  1. Go to the Cloud Spanner Instances page.

    Go to the instances page

  2. Click the name of the instance that contains your backup to go to the Instance details page.

  3. In the Backup/Restore tab, select your backup.
    The Info panel appears.

  4. Click the Permissions tab in the Info panel.

  5. In the Add members box in the Info panel, enter the email address for the account that you want to add.

  6. Select one or more roles in the drop-down list.

  7. Click Add.