This page provides an overview about how to manage database users in AlloyDB for PostgreSQL, and enable Identity and Access Management (IAM) authentication for these database users.
How database user management works
AlloyDB shares the same concepts of roles, users, and groups as PostgreSQL. For a brief explanation, see the following descriptions:
Role: Top-level designation that describes both database users and groups of database users across a cluster. Roles provide, and restrict, access to database objects, such as tables and functions.
User: Role that is given the
LOGINattribute. Users can authenticate and sign into AlloyDB database clusters.Group: Role that is granted to one or more users. The purpose of groups is to control the privileges that many users have as a whole.
How database authentication works
To authenticate and sign into your AlloyDB database clusters, you have two options:
- Standard PostgreSQL password-based authentication: Verifies user identity by comparing provided credentials against stored, hashed passwords. The supported methods include md5, scram-sha-256, and password.
- IAM authentication: Lets database users authenticate using IAM for enhanced security and centralized access control across other Google Cloud services.
Predefined roles
PostgreSQL provides predefined roles with various privileges. In addition to these predefined roles, AlloyDB provides several more predefined user and group roles.
The following tables lists the roles, and role privileges, that AlloyDB provides.
| Role name | Privileges |
|---|---|
alloydbsuperuser |
CREATEROLE, CREATEDB, and LOGIN. |
postgres |
CREATEROLE, CREATEDB, and LOGIN. |
alloydbimportexport |
CREATEROLE and CREATEDB. |
alloydbagent |
CREATEROLE and CREATEDB. |
alloydbreplica |
REPLICATION |
alloydbiamuser |
By default, this role does not have any privileges. |
The following subsections explain what some of these roles are meant for.
alloydbsuperuser group role
alloydbsuperuser lets you set up your database system and perform other
superuser tasks. This role has the following privileges:
- Create extensions that require superuser privileges
- Create event triggers
- Create replication users
- Create replication publications and subscriptions
As a managed service, AlloyDB does not let you grant users the
PostgreSQL superuser role. Instead, you can give any database user
AlloyDB superuser privileges by granting them the
alloydbsuperuser role.
postgres user role
The postgres user role is part of alloydbsuperuser. When you create an
AlloyDB cluster, you assign a password to postgres. Then, you
sign in to your system using postgres to perform tasks such as creating
databases or additional roles.
alloydbimportexport user role
When you create an AlloyDB cluster, AlloyDB
creates alloydbimportexport with the minimal set of privileges that
are required for import and export operations.
You have the option to create your own users to perform these operations. If you
don't create a custom alloydbimportexport user, the system uses the default
alloydbimportexport user for import and export operations.
alloydbimportexport is a system user. This means you cannot directly
use alloydbimportexport user to sign in or perform other operations in your
PostgreSQL databases.
alloydbiamuser group role
Database users within the alloydbiamuser group authenticate with an
AlloyDB instance by using IAM,
instead of using standard PostgreSQL
password-based authentication.
AlloyDB does not let you grant alloydbiamuser to users
using the GRANT PostgreSQL command or similar methods. Instead, you can use
AlloyDB administrative tools to create and manage
IAM-based database users. For more information, see
Manage IAM authentication.
What's next
Learn how to manage PostgreSQL roles, users, and groups for AlloyDB using standard authentication.
Learn how to manage IAM authentication.