Console
    Contact Us Start free

    About database user management in AlloyDB for PostgreSQL

    This page provides an overview about how to manage database users in AlloyDB for PostgreSQL, and enable Identity and Access Management (IAM) authentication for those database users.

    How database user management works

    AlloyDB shares the same concepts of roles, users, and groups as PostgreSQL . For a brief explanation, see the following descriptions:

    • Role:the top-level designation that describes both database users and groups of database users across a cluster. Roles provide, and restrict, access to database objects, such as tables and functions.

    • User:the role that's given the LOGIN attribute. Users can authenticate and sign into AlloyDB database clusters.

    • Group:the role that's granted to one or more users. The purpose of groups is to control the privileges that many users have as a whole.

    How database authentication works

    To authenticate and sign into your AlloyDB database clusters, you have two options:

    • Built-in PostgreSQL password-based authentication : to verify user identity, AlloyDB compares the provided credentials against stored, hashed passwords. The supported methods include md5 , scram-sha-256 , and password .
    • IAM authentication : lets database users authenticate using IAM. This provides enhanced security and centralizes access control across other Google Cloud services.

    Predefined roles

    PostgreSQL provides predefined roles with various privileges. In addition to these predefined roles, AlloyDB provides several more predefined user and group roles.

    The following tables lists the roles, and role privileges, that AlloyDB provides:

    Role name Privileges
    alloydbsuperuser CREATEROLE , CREATEDB , and LOGIN .
    postgres CREATEROLE , CREATEDB , and LOGIN .
    alloydbimportexport CREATEROLE and CREATEDB .
    alloydbagent CREATEROLE and CREATEDB .
    alloydbreplica REPLICATION
    alloydbiamuser By default, this role doesn't have any privileges.

    The following subsections explain the uses of these roles.

    alloydbsuperuser group role

    alloydbsuperuser lets you set up your database system and perform other superuser tasks. This role has the following privileges:

    • Create extensions that require superuser privileges
    • Create event triggers
    • Create replication users
    • Create replication publications and subscriptions

    As a managed service, AlloyDB doesn't let you grant users the PostgreSQL superuser role. Instead, you can give any database user AlloyDB superuser privileges if you grant them the alloydbsuperuser role.

    postgres user role

    The postgres user role is part of alloydbsuperuser . When you create an AlloyDB cluster, you assign a password to postgres . Then, you sign in to your system using postgres to perform tasks such as to create databases or additional roles.

    alloydbimportexport user role

    When you create an AlloyDB cluster, AlloyDB creates alloydbimportexport with the minimal set of privileges it requires for import and export operations.

    You have the option to create your own users to perform these operations. If you don't create a custom alloydbimportexport user, the system uses the default alloydbimportexport user for import and export operations.

    alloydbimportexport is a system user. This means that you can't directly use alloydbimportexport user to sign in or perform other operations in your PostgreSQL databases.

    alloydbagent user role

    The alloydbagent role is an internal AlloyDB system role. The AlloyDB service manages the role and you can't manually grant it to database accounts. This management ensures that the database and its features function correctly.

    alloydbreplica user role

    The alloydbreplica role is an internal AlloyDB system role. The AlloyDB service manages the role and you can't manually grant it to database accounts. This management ensures that the database and its features function correctly.

    alloydbiamuser group role

    Database users within the alloydbiamuser group authenticate with an AlloyDB instance by using IAM, instead of using built-in PostgreSQL password-based authentication .

    AlloyDB doesn't let you grant alloydbiamuser to users using the GRANT PostgreSQL command or similar methods. Instead, you can use AlloyDB administrative tools to create and manage IAM-based database users. For more information, see Manage IAM authentication .

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: