IAM roles and permissions for AlloyDB

This page lists the IAM predefined roles and permissions for AlloyDB.

In order to assign these roles and permissions to an IAM account:

  • The Cloud Resource Manager API must be enabled in the Google Cloud project.

    Enable the API

  • You must have the roles/owner (Owner) basic IAM role in the Google Cloud project, or a role that grants these permissions:
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.setIamPolicy

    To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin) role.

Predefined AlloyDB IAM roles

The following table lists the predefined roles available for AlloyDB, along with their AlloyDB permissions:

Predefined role name Description
AlloyDB permissions
roles/alloydb.admin
Cloud AlloyDB Admin

Full control for all AlloyDB resources.

alloydb.*
roles/alloydb.client
Cloud AlloyDB Client

Connectivity access to AlloyDB instances from clients.

alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
roles/alloydb.databaseUser
Cloud AlloyDB Database User

Authenticated database-user access to AlloyDB instances.

alloydb.clusters.get
alloydb.instances.get
alloydb.users.login
alloydb.instances.executeSql
roles/alloydb.viewer
Cloud AlloyDB Viewer

Read-only access to all AlloyDB resources.

alloydb.*.get
alloydb.*.getIamPolicy
alloydb.*.list

AlloyDB IAM permissions and their roles

The following table lists each permission that AlloyDB supports and the predefined AlloyDB roles that include it.

Permission AlloyDB roles
alloydb.backups.create Cloud AlloyDB Admin
alloydb.backups.createTagBinding Cloud AlloyDB Admin
alloydb.backups.delete Cloud AlloyDB Admin
alloydb.backups.deleteTagBinding Cloud AlloyDB Admin
alloydb.backups.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.listTagBindings Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.listEffectiveTags Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.backups.setIamPolicy Cloud AlloyDB Admin
alloydb.backups.update Cloud AlloyDB Admin
alloydb.clusters.create Cloud AlloyDB Admin
alloydb.clusters.createTagBinding Cloud AlloyDB Admin
alloydb.clusters.delete Cloud AlloyDB Admin
alloydb.clusters.deleteTagBinding Cloud AlloyDB Admin
alloydb.clusters.failover Cloud AlloyDB Admin
alloydb.clusters.generateClientCertificate Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.clusters.get Cloud AlloyDB Admin
Cloud AlloyDB Client
Cloud AlloyDB Viewer
alloydb.clusters.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.import Cloud AlloyDB Admin
alloydb.clusters.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.listTagBindings Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.listEffectiveTags Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.clusters.setIamPolicy Cloud AlloyDB Admin
alloydb.clusters.update Cloud AlloyDB Admin
alloydb.databases.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.instances.connect Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.instances.create Cloud AlloyDB Admin
alloydb.instances.delete Cloud AlloyDB Admin
alloydb.instances.executeSql Cloud AlloyDB Admin
Cloud AlloyDB Database User
alloydb.instances.failover Cloud AlloyDB Admin
alloydb.instances.get Cloud AlloyDB Admin
Cloud AlloyDB Client
Cloud AlloyDB Database User
Cloud AlloyDB Viewer
alloydb.instances.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.instances.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.instances.restart Cloud AlloyDB Admin
alloydb.instances.setIamPolicy Cloud AlloyDB Admin
alloydb.instances.update Cloud AlloyDB Admin
alloydb.locations.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.locations.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.users.login Cloud AlloyDB Database User
alloydb.operations.cancel Cloud AlloyDB Admin
alloydb.operations.delete Cloud AlloyDB Admin
alloydb.operations.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.operations.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.get Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.getIamPolicy Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.list Cloud AlloyDB Admin
Cloud AlloyDB Viewer
alloydb.supportedDatabaseFlags.setIamPolicy Cloud AlloyDB Admin
alloydb.users.list Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.users.get Cloud AlloyDB Admin
Cloud AlloyDB Client
alloydb.users.create Cloud AlloyDB Admin
alloydb.users.update Cloud AlloyDB Admin
alloydb.users.delete Cloud AlloyDB Admin
alloydb.users.login Cloud AlloyDB Admin
Cloud AlloyDB Database User