This page lists the Identity and Access Management (IAM) predefined roles and permissions for AlloyDB. For a complete list of IAM roles and permissions for AlloyDB, see AlloyDB for PostgreSQL roles and permissions .
In order to assign these roles and permissions to an IAM account:
-
The Cloud Resource Manager API must be enabled in the Google Cloud project.
- You must have the
roles/owner(Owner) basic IAM role in the Google Cloud project, or a role that grants these permissions:-
resourcemanager.projects.get -
resourcemanager.projects.getIamPolicy -
resourcemanager.projects.setIamPolicy
To gain these permissions while following the principle of least privilege, ask your administrator to grant you the
roles/resourcemanager.projectIamAdmin(Project IAM Admin) role. -
Predefined AlloyDB IAM roles
The following table lists the predefined roles available for AlloyDB, along with their AlloyDB permissions:
| Predefined role name | Description AlloyDB permissions |
|---|---|
roles/alloydb.admin
Cloud AlloyDB Admin |
Full control for all AlloyDB resources. alloydb.*
|
roles/alloydb.client
Cloud AlloyDB Client |
Connectivity access to AlloyDB instances from clients. alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
|
roles/alloydb.databaseUser
Cloud AlloyDB Database User |
Authenticated database-user access to AlloyDB instances. alloydb.clusters.get
alloydb.instances.get
alloydb.users.login
alloydb.instances.executeSql
|
roles/alloydb.viewer
Cloud AlloyDB Viewer |
Read-only access to all AlloyDB resources. alloydb.*.get
alloydb.*.getIamPolicy
alloydb.*.list
|
AlloyDB IAM permissions and their roles
The following table lists each permission that AlloyDB supports and the predefined AlloyDB roles that include it.
| Permission | AlloyDB roles |
|---|---|
alloydb.backups.create
|
Cloud AlloyDB Admin |
alloydb.backups.createTagBinding
|
Cloud AlloyDB Admin |
alloydb.backups.delete
|
Cloud AlloyDB Admin |
alloydb.backups.deleteTagBinding
|
Cloud AlloyDB Admin |
alloydb.backups.get
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.getIamPolicy
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.listTagBindings
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.listEffectiveTags
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.backups.setIamPolicy
|
Cloud AlloyDB Admin |
alloydb.backups.update
|
Cloud AlloyDB Admin |
alloydb.clusters.create
|
Cloud AlloyDB Admin |
alloydb.clusters.createTagBinding
|
Cloud AlloyDB Admin |
alloydb.clusters.delete
|
Cloud AlloyDB Admin |
alloydb.clusters.deleteTagBinding
|
Cloud AlloyDB Admin |
alloydb.clusters.failover
|
Cloud AlloyDB Admin |
alloydb.clusters.generateClientCertificate
|
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.clusters.get
|
Cloud AlloyDB Admin Cloud AlloyDB Client Cloud AlloyDB Viewer |
alloydb.clusters.getIamPolicy
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.import
|
Cloud AlloyDB Admin |
alloydb.clusters.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.listTagBindings
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.listEffectiveTags
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.clusters.setIamPolicy
|
Cloud AlloyDB Admin |
alloydb.clusters.update
|
Cloud AlloyDB Admin |
alloydb.databases.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.connect
|
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.instances.create
|
Cloud AlloyDB Admin |
alloydb.instances.delete
|
Cloud AlloyDB Admin |
alloydb.instances.executeSql
|
Cloud AlloyDB Admin Cloud AlloyDB Database User |
alloydb.instances.failover
|
Cloud AlloyDB Admin |
alloydb.instances.get
|
Cloud AlloyDB Admin Cloud AlloyDB Client Cloud AlloyDB Database User Cloud AlloyDB Viewer |
alloydb.instances.getIamPolicy
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.instances.restart
|
Cloud AlloyDB Admin |
alloydb.instances.setIamPolicy
|
Cloud AlloyDB Admin |
alloydb.instances.update
|
Cloud AlloyDB Admin |
alloydb.locations.get
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.locations.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.operations.cancel
|
Cloud AlloyDB Admin |
alloydb.operations.delete
|
Cloud AlloyDB Admin |
alloydb.operations.get
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.operations.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.get
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.getIamPolicy
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.list
|
Cloud AlloyDB Admin Cloud AlloyDB Viewer |
alloydb.supportedDatabaseFlags.setIamPolicy
|
Cloud AlloyDB Admin |
alloydb.users.list
|
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.users.get
|
Cloud AlloyDB Admin Cloud AlloyDB Client |
alloydb.users.create
|
Cloud AlloyDB Admin |
alloydb.users.update
|
Cloud AlloyDB Admin |
alloydb.users.delete
|
Cloud AlloyDB Admin |
alloydb.users.login
|
Cloud AlloyDB Admin Cloud AlloyDB Database User |
