Apply IAM roles

This page describes how to grant Spanner Identity and Access Management (IAM)permissions to an account for a Google Cloud project, instance, database, orbackup.

For information on Google Cloud roles, seeUnderstanding roles, and for more information onSpanner roles, seeAccess control: roles.

Note: If your account doesn't have sufficient permissions, you won't be ableto view some of the items in the following directions. In this case, ask yourproject's owner to grant you additional permissions.

Project-level permissions

You can grant IAM permissions for an entire Google Cloud project toan account in theIAM page of the Google Cloud console. Adding permissionsat the project level grants the IAM permissions to an account forall Spanner instances, databases, and backups in the project.

Verify that you can add permissions

Before you attempt to apply project-level permissions, check that you havesufficient permissions to apply roles to another account. You need permissionsat the project level.

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. SelectPrincipals as theView by option.

  3. Find your account in the list. If your account is listed asOwner orEditor in theRole column, you have sufficient permissions.

If you don't have sufficient permissions at the project level, ask theproject's owner to grant you additional permissions.

Grant permissions to principals

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. SelectPrincipals as theView by option.

  3. Find the account in the list and clickEditScreenshot of edit UI element.

  4. On theEdit permissions page, clickAdd Another Role.

  5. Select a role in the drop-down list.

  6. ClickSave.

Add principals to the project

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. Click theAdd button below the toolbar.

  3. In theNew principals box, enter the email for the account that you wantto add.

  4. Select a role in the drop-down list.

  5. ClickSave.

For more information, seeGranting, changing, and revoking access.

Instance-level permissions

You can grant instance-level IAM permissions to an account in theIAM page of the Google Cloud console.

Verify that you can add permissions

Before you attempt to apply instance-level permissions at the instance level,check that you have sufficient permissions to apply roles to another account.You need permissions at the project or instance level.

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. SelectPrincipals as theView by option.

  3. Find your account in the list. If your account is listed asOwner,Editor, orCloud Spanner Admin in theRole column,you have sufficient permissions. If not, continue to the next step.

  4. Go to the SpannerInstances page.

    Go to the instances page

  5. Select the checkbox for the instance.

  6. In thePermissions tab of theInfo panel, expand the principal listsand find your account. If your account is listed asOwner,Editor, orSpanner Admin, you havesufficient permissions.

If you don't have sufficient permissions at the project or instance level, askthe project's owner to grant you additional permissions.

Add instance-level permissions

Use the following steps to apply roles for Spanner to an instancein a project.

  1. Go to the SpannerInstances page.

    Go to the instances page

  2. Select the checkbox for the instance.

  3. Click thePermissions tab in theInfo panel.

  4. In theAdd principals box in theInfo panel, enter the email addressfor the account that you want to add.

  5. Select one or more roles in the drop-down list.

  6. ClickAdd.

Database-level permissions

You can grant database-level IAM permissions to an account in theIAM page of the Google Cloud console.

Verify that you can add permissions

Before you attempt to apply database-level permissions, check that you havesufficient permissions to apply roles to another account. You need permissionsat the project, instance, or database level.

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. SelectPrincipals as theView by option.

  3. Find your account in the list. If your account is listed asOwner,Editor,Cloud Spanner Admin, orCloud Spanner Database Admin in theRole column, you have sufficient permissions. If not, continue to the next step.

  4. Go to the SpannerInstances page.

    Go to the instances page

  5. Select the checkbox for the instance that contains your database.

  6. In thePermissions tab of theInfo panel, expand the principal listsand find your account. If your account is listed asOwner,Editor,Spanner Admin orSpanner Database Admin,you have sufficient permissions. If not, continue to the next step.

  7. Click the instance name to go to theInstance details page.

  8. ClickShow Info panel.

  9. In theOverview tab of the page, select the checkbox for your database.

  10. In thePermissions tab of theInfo panel, expand the principal listsand find your account. If your account is listed asOwner,Editor,Spanner Admin, orSpannerDatabase Admin, you have sufficient permissions.

If you don't have sufficient permissions at the project, instance, or databaselevel, ask the project's owner to grant you additional permissions.

Add database-level permissions

Follow these steps to grant access to database-level roles for a principal.

  1. Go to the SpannerInstances page.

    Go to the instances page

  2. Click the name of the instance that contains your database to go to theInstance details page.

  3. In theOverview tab, select the checkbox for your database.
    TheInfopanel appears.

  4. ClickAdd principal.

  5. In theAdd principals panel, inNew principals, enter the emailaddress for the account that you want to add.

  6. Select one or more roles in the drop-down list.

  7. ClickSave.

Remove database-level permissions

Follow these steps to remove database-level roles from a principal.

Note: This procedure assumes that you know the role that you want to remove froma principal. If you don't know which roles a principal has, use theIAM Google Cloud console to first view the roles that a principalhas, and then revoke the roles. For details, seeRevoke a single role.

  1. Go to the SpannerInstances page.

    Go to the instances page

  2. Click the name of the instance that contains your database to go to theInstance details page.

  3. In theOverview tab, select the checkbox for your database.
    TheInfopanel appears.

  4. In theInfo panel, underRole/Principal, locate the database-levelrole that you want to remove, and expand it.

    A list of principals who have this role is shown.

  5. Click the trash icon adjacent to the principal from whom you want to removethe role.

  6. In the confirmation dialog, select the checkbox and clickREMOVE.

Backup-level permissions

You can grant backup-level IAM permissions to an account in theIAM page of the Google Cloud console.

Verify that you can add permissions

Before you attempt to apply backup-level permissions, check that you havesufficient permissions to apply roles to another account. You need permissionsat the project, instance, or backup.

  1. Go to your project'sIAM page.

    Go to the IAM page

  2. SelectPrincipals as theView by option.

  3. Find your account in the list. If your account is listed asOwner,Editor,Cloud Spanner Admin,Cloud Spanner Backup Admin in theRole column, you have sufficient permissions. If not, continue to thnext step.

  4. Go to the SpannerInstances page.

    Go to the instances page

  5. Select the checkbox for the instance that contains your backup.

  6. In thePermissions tab of theInfo panel, expand the principal lists andfind your account. If your account is listed asOwner,Editor,Spanner Admin orSpanner Backup Admin,you have sufficient permissions. If not, continue to the next step.

  7. Click the instance name to go to theInstance details page.

  8. Click theBackup/Restore tab and select your backup from theBackup table.

  9. ClickShow Info Panel.

  10. In theInfo Panel find your account. If your account is listed asOwner,Editor,Cloud Spanner Admin, orCloud Spanner Backup Admin intheRole column, you have sufficient permissions.

If you don't have sufficient permissions at the project or instancelevel, ask the project's owner to grant you additional permissions.

Add backup-level permissions

Use the following steps to apply roles for Spanner to an individualbackup in a project.

  1. Go to the SpannerInstances page.

    Go to the instances page

  2. Click the name of the instance that contains your backup to go to theInstance details page.

  3. In theBackup/Restore tab, select your backup.
    TheInfopanel appears.

  4. Click thePermissions tab in theInfo panel.

  5. In theAdd principals box in theInfo panel, enter the email address forthe account that you want to add.

  6. Select one or more roles in the drop-down list.

  7. ClickAdd.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.