IAM roles and permissions for AlloyDB

This page lists the Identity and Access Management (IAM) predefined roles and permissions for AlloyDB. For a complete list of IAM roles and permissions for AlloyDB, see AlloyDB for PostgreSQL roles and permissions.

In order to assign these roles and permissions to an IAM account:

The Cloud Resource Manager API must be enabled in the Google Cloud project.

Enable the API
You must have the roles/owner (Owner) basic IAM role in the Google Cloud project, or a role that grants these permissions:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/resourcemanager.projectIamAdmin (Project IAM Admin) role.

Predefined AlloyDB IAM roles

The following table lists the predefined roles available for AlloyDB, along with their AlloyDB permissions:

Predefined role name	Description AlloyDB permissions
`roles/alloydb.admin` AlloyDB Admin	Full control for all AlloyDB resources. `alloydb.*`
`roles/alloydb.client` AlloyDB Client	Connectivity access to AlloyDB instances from clients. `alloydb.clusters.generateClientCertificate` `alloydb.clusters.get` `alloydb.instances.connect` `alloydb.instances.get`
`roles/alloydb.databaseUser` AlloyDB Database User	Authenticated database-user access to AlloyDB instances. `alloydb.clusters.get` `alloydb.instances.get` `alloydb.users.login` `alloydb.instances.executeSql`
`roles/alloydb.viewer` AlloyDB Viewer	Read-only access to all AlloyDB resources. `alloydb..get` `alloydb..getIamPolicy` `alloydb.*.list`

AlloyDB IAM permissions and their roles

The following table lists each permission that AlloyDB supports and the predefined AlloyDB roles that include it.

Permission	AlloyDB roles
`alloydb.backups.create`	AlloyDB Admin
`alloydb.backups.createTagBinding`	AlloyDB Admin
`alloydb.backups.delete`	AlloyDB Admin
`alloydb.backups.deleteTagBinding`	AlloyDB Admin
`alloydb.backups.get`	AlloyDB Admin AlloyDB Viewer
`alloydb.backups.getIamPolicy`	AlloyDB Admin AlloyDB Viewer
`alloydb.backups.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.backups.listTagBindings`	AlloyDB Admin AlloyDB Viewer
`alloydb.backups.listEffectiveTags`	AlloyDB Admin AlloyDB Viewer
`alloydb.backups.setIamPolicy`	AlloyDB Admin
`alloydb.backups.update`	AlloyDB Admin
`alloydb.clusters.create`	AlloyDB Admin
`alloydb.clusters.createTagBinding`	AlloyDB Admin
`alloydb.clusters.delete`	AlloyDB Admin
`alloydb.clusters.deleteTagBinding`	AlloyDB Admin
`alloydb.clusters.failover`	AlloyDB Admin
`alloydb.clusters.generateClientCertificate`	AlloyDB Admin AlloyDB Client
`alloydb.clusters.get`	AlloyDB Admin AlloyDB Client AlloyDB Viewer
`alloydb.clusters.getIamPolicy`	AlloyDB Admin AlloyDB Viewer
`alloydb.clusters.import`	AlloyDB Admin
`alloydb.clusters.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.clusters.listTagBindings`	AlloyDB Admin AlloyDB Viewer
`alloydb.clusters.listEffectiveTags`	AlloyDB Admin AlloyDB Viewer
`alloydb.clusters.setIamPolicy`	AlloyDB Admin
`alloydb.clusters.update`	AlloyDB Admin
`alloydb.databases.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.instances.connect`	AlloyDB Admin AlloyDB Client
`alloydb.instances.create`	AlloyDB Admin
`alloydb.instances.delete`	AlloyDB Admin
`alloydb.instances.executeSql`	AlloyDB Admin AlloyDB Database User
`alloydb.instances.failover`	AlloyDB Admin
`alloydb.instances.get`	AlloyDB Admin AlloyDB Client AlloyDB Database User AlloyDB Viewer
`alloydb.instances.getIamPolicy`	AlloyDB Admin AlloyDB Viewer
`alloydb.instances.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.instances.restart`	AlloyDB Admin
`alloydb.instances.setIamPolicy`	AlloyDB Admin
`alloydb.instances.update`	AlloyDB Admin
`alloydb.locations.get`	AlloyDB Admin AlloyDB Viewer
`alloydb.locations.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.operations.cancel`	AlloyDB Admin
`alloydb.operations.delete`	AlloyDB Admin
`alloydb.operations.get`	AlloyDB Admin AlloyDB Viewer
`alloydb.operations.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.supportedDatabaseFlags.get`	AlloyDB Admin AlloyDB Viewer
`alloydb.supportedDatabaseFlags.getIamPolicy`	AlloyDB Admin AlloyDB Viewer
`alloydb.supportedDatabaseFlags.list`	AlloyDB Admin AlloyDB Viewer
`alloydb.supportedDatabaseFlags.setIamPolicy`	AlloyDB Admin
`alloydb.users.list`	AlloyDB Admin AlloyDB Client
`alloydb.users.get`	AlloyDB Admin AlloyDB Client
`alloydb.users.create`	AlloyDB Admin
`alloydb.users.update`	AlloyDB Admin
`alloydb.users.delete`	AlloyDB Admin
`alloydb.users.login`	AlloyDB Admin AlloyDB Database User