Using Spanner in a virtual machine instance
This page describes how to grant your Compute Enginevirtual machine instance permission to access aSpanner database.
Your instance can access the Cloud Spanner API from Compute Engine byusing a service account to act on your behalf. The service account providesapplication default credentialsfor your applications so that you don't need to configure eachCompute Engine instance to use your personal user credentials.
Configure the service account on your instance with one of the followingoptions:
- For easy development and testing, configure your instance touse the default service account with full access to all Cloud APIs.
- For production environments,create a service account with read and write access to your Spanner databasesand apply it to your instance.
Configure an instance with access to all Cloud APIs
To quickly allow your instance to access the Cloud Spanner API, create a new instanceto use the default service account and a scope with full access to all CloudAPIs.
Go to the Compute Engine VM instances page.
Select your project and clickContinue.
ClickCreate Instance to start creating a new instance.
In theIdentity and API access section, clickAllow full access to all Cloud APIs.
Configure other instance settings as needed, then clickCreate.
Now that the service account on your Compute Engine instance has accessto the Cloud Spanner API,use a client library to readand write data in your Spanner database. The instance uses thecredentials from the default service account to authenticate with theCloud Spanner API.
Configure an instance with a service account
To restrict instance access to specific APIs and roles, create a serviceaccount with permission only to access your Spannerdatabases. Then, apply the service account to your instance.
Select a service account that will act on your behalf to accessSpanner. Use one of the following options:
- Create a new service account.
- Identify an existing service accountthat you can use for your instance.
Grant a role to the service accountso that it has the necessary permissions to access Spanner. For alist of roles that apply to Spanner, seeAccess Control for Spanner.
Go to the Compute Engine VM instances page.
Select your project and clickContinue.
ClickCreate Instance to start creating a new instance.
In theIdentity and API access section, select the service accountfrom the list underService account.
Configure other instance settings as needed, then clickCreate.
Now that the service account on your Compute Engine instance has accessto the Cloud Spanner API,use a client library to readand write data in your Spanner database. The instance uses theservice account credentials to authenticate with the Cloud Spanner API.
What's next
- Connect to your instanceand follow aclient library tutorial to learn howto read and write data to Spanner from your instance.
- Learn more aboutservice accounts on Compute Engineand how you can use them to grant Identity and Access Management (IAM) roles and API access scopes tothe applications that run on your instances.
- Learn how tochange service accounts on existing instances.
- Learn more aboutcreating and starting an Compute Engine instances.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.