Bigtable access control with IAM

This page describes the access control options in Bigtable.

Overview

Bigtable usesIdentity and Access Management (IAM) foraccess control. You set IAM policies on resources to control who has what access to which resources.

Bigtable resources are organized in a hierarchy. AGoogle Cloud project is the parent of a Bigtableinstance, which is the parent of its clusters and tables. A table is the parentof its authorized views while a cluster is the parent of its backups. Youcan configure access control at each level.

If you have permissions at a level, then you automatically have permissionsbelow that level. For example, if you have access at the project level, then youhave access to the instances, clusters, tables, authorized views,continuous materialized views in that project. If you are granted access toan authorized view or a continuous materialized view, then youdon't automatically have access to higher-level resources that are parents ofthe authorized view or continuous materialized view, such as thetable and instance. This behavior is calledpolicy inheritance.

For more information about IAM hierarchy, seeIAM policyinheritance.

Here are some examples of using access control at theproject level:

  • Allow a user to read from, but not write to, any table within the project.
  • Allow a user to read from and write to any table within the project, but notmanage instances.
  • Allow a user to read from and write to any table within the project, andmanage instances.

Examples of using access control at theinstance level include thefollowing:

  • Allow a user to read from any table in only one instance in a project thathas multiple instances.
  • Allow a user to manage only one instance in a project that has multipleinstances.

Examples of using access control at thetable level include the following:

  • Allow a user to write to a table but not read from the table.
  • Allow a user to read from a table but not write to the table.

Examples of using access control at thebackup level include the following:

  • Prevent a user from deleting a backup.
  • Prevent a user from restoring from the backup.

Examples of using access control at theauthorized view levelinclude the following:

  • Let a user read an authorized view but not modify it.
  • Let a user view data from only one of multiple authorized views of atable.

Examples of using access control at thecontinuous materialized viewlevel include the following:

  • Let a user read from a continuous materialized view but not modifythe underlying table.

For a detailed description of IAM and its features, see theIAMdeveloper's guide. In particular, seeGranting, Changing, and RevokingAccess.

In Bigtable, you cannot grant access to the followingtypes ofprincipals:

For lists of the permissions and roles that Bigtable supports, seethe following sections.

Enabling the Bigtable API

To view and assign Bigtable IAM roles, you must enable theBigtable API for your project. You won't be able to see theBigtable roles in the Google Cloud console until you enable theAPI.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

Enable the API

Permissions

This section summarizes the permissions that Bigtable supports.

Permissions allow users to perform specific actions on Bigtableresources. For example, thebigtable.instances.list permissions allows usersto list all of the Bigtable instances within a project. You don'tgrant permissions to users directly; instead, you assign each user apredefinedrole orcustom role, which grants one or morepermissions.

The following tables list the IAM permissions that are associated withBigtable:

App profile permission nameDescription
bigtable.appProfiles.createCreate a Bigtable app profile.
bigtable.appProfiles.deleteDelete a Bigtable app profile.
bigtable.appProfiles.getGet information about a Bigtable app profile.
bigtable.appProfiles.listList an instance's Bigtable app profiles.
bigtable.appProfiles.updateUpdate the settings for a Bigtable app profile.
Backups permission nameDescription
bigtable.backups.createCreate a Bigtable backup.
bigtable.backups.deleteDelete a Bigtable backup.
bigtable.backups.getGet information about a Bigtable backup.
bigtable.backups.getIamPolicyRead a backup's access control lists (ACL). Returned as IAM policies.
bigtable.backups.listList Bigtable backups.
bigtable.backups.restoreRestore from a Bigtable backup.
bigtable.backups.testIamPermissionsGet the caller's permissions on a specified backup.
bigtable.backups.readRead from a Bigtable backup.
bigtable.backups.setIamPolicyUpdate backup ACLs.
bigtable.backups.updateModify the expiration of a Bigtable backup.
Cluster permission nameDescription
bigtable.clusters.createCreate a Bigtable cluster.
bigtable.clusters.deleteDelete a Bigtable cluster.
bigtable.clusters.getGet information about a Bigtable cluster.
bigtable.clusters.listList an instance's Bigtable clusters.
bigtable.clusters.updateUpdate the settings for a Bigtable cluster.
Hot tablets permission nameDescription
bigtable.hotTablets.listList hot tablets for a cluster.
Instance permission nameDescription
bigtable.instances.createCreate a Bigtable instance.
bigtable.instances.createTagBindingCreate a tag.
bigtable.instances.deleteDelete a Bigtable instance.
bigtable.instances.deleteTagBindingDelete a tag.
bigtable.instances.getGet information about a Bigtable instance.
bigtable.instances.getIamPolicyRead instance access control lists (ACLs). Returned as IAM policies.
bigtable.instances.listList a project's Bigtable instances.
bigtable.instances.listEffectiveTagBindingsList all tags in effect for an instance.
bigtable.instances.listTagBindingsList an instance's tags.
bigtable.instances.pingSend channel priming requests.
bigtable.instances.executeQuerySendExecuteQuery andPrepareQuery requests to an instance.
bigtable.instances.setIamPolicyUpdate ACLs.
bigtable.instances.updateUpdate the settings for a Bigtable instance.
Key Visualizer permission nameDescription
bigtable.keyvisualizer.getGet Key Visualizer information about a table, including metadata aboutaccess patterns and row key distributions.
bigtable.keyvisualizer.listList available Key Visualizer information for a table.
Location permission nameDescription
bigtable.locations.listList Bigtable locations.
Table permission nameDescription
bigtable.tables.checkConsistencyCheck if a replicated table is up to date.
bigtable.tables.createCreate a table.
bigtable.tables.deleteDelete a table.
bigtable.tables.generateConsistencyTokenGenerate token to check if a replicated table is up to date.
bigtable.tables.getGet information about a table, including column families and theirindividual settings.
bigtable.tables.getIamPolicyRead table ACLs. Returned as IAM policies.
bigtable.tables.listList tables in an instance.
bigtable.tables.mutateRowsModify rows within a table, or truncate the table.
bigtable.tables.readRowsRead rows from a table. This includes information about the table, such ascolumn families and their individual settings.
bigtable.tables.sampleRowKeysGet a sample of the row keys that are used in a table.
bigtable.tables.setIamPolicyUpdate table ACLs.
bigtable.tables.undeleteRecover a deleted table.
bigtable.tables.updateUpdate the settings for a table, including column families and theirindividual settings.
Location permission nameDescription
bigtable.locations.listList Bigtable locations.
Authorized view permission nameDescription
bigtable.authorizedViews.createCreate an authorized view.
bigtable.authorizedViews.deleteDelete an authorized view.
bigtable.authorizedViews.getGet information about an authorized view.
bigtable.authorizedViews.getIamPolicyView access control for an authorized view. Returned as IAM policies.
bigtable.authorizedViews.listList authorized views in a table.
bigtable.authorizedViews.mutateRowsModify rows within an authorized view.
bigtable.authorizedViews.readRowsRead rows from an authorized view.
bigtable.authorizedViews.sampleRowKeysGet a sample of the row keys that are used in an authorized view.
bigtable.authorizedViews.setIamPolicyUpdate access control policies for an authorized view.
bigtable.authorizedViews.updateUpdate the settings for an authorized view.
Continuous materialized view permission nameDescription
bigtable.materializedViews.createCreate a continuous materialized view.
bigtable.materializedViews.deleteDelete a continuous materialized view.
bigtable.materializedViews.getGet information about a continuous materialized view.
bigtable.materializedViews.getIamPolicyView access control for a continuous materialized view. Returned as IAM policies.
bigtable.materializedViews.listList continuous materialized views in an instance.
bigtable.materializedViews.readRowsRead rows from a continuous materialized view.
bigtable.materializedViews.sampleRowKeysGet a sample of the row keys that are used in a continuous materialized view.
bigtable.materializedViews.setIamPolicyUpdate access control policies for a continuous materialized view.
bigtable.materializedViews.updateUpdate the settings for a continuous materialized view.

Predefined roles

Each predefined role is a bundle of one or morepermissions. Forexample,roles/bigtable.reader provides read-only access to information aboutBigtable instances, clusters, tables, and column families, as wellas the data contained within your tables. You assign roles to users or groups,which allows them to perform actions on the resources in your project.

The following table lists the predefined roles for Bigtable,including a list of the permissions associated with each role:

RolePermissions

Bigtable Administrator

(roles/bigtable.admin)

Administers all Bigtable instances within a project, including the data stored withintables. Can create new instances. Intended for project administrators.

Lowest-level resources where you can grant this role:

  • Table

bigtable.*

  • bigtable.appProfiles.create
  • bigtable.appProfiles.delete
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.appProfiles.update
  • bigtable.authorizedViews.create
  • bigtable.authorizedViews.createTagBinding
  • bigtable.authorizedViews.delete
  • bigtable.authorizedViews.deleteTagBinding
  • bigtable.authorizedViews.get
  • bigtable.authorizedViews.getIamPolicy
  • bigtable.authorizedViews.list
  • bigtable.authorizedViews.listEffectiveTags
  • bigtable.authorizedViews.listTagBindings
  • bigtable.authorizedViews.mutateRows
  • bigtable.authorizedViews.readRows
  • bigtable.authorizedViews.sampleRowKeys
  • bigtable.authorizedViews.setIamPolicy
  • bigtable.authorizedViews.update
  • bigtable.backups.create
  • bigtable.backups.delete
  • bigtable.backups.get
  • bigtable.backups.getIamPolicy
  • bigtable.backups.list
  • bigtable.backups.read
  • bigtable.backups.restore
  • bigtable.backups.setIamPolicy
  • bigtable.backups.update
  • bigtable.clusters.create
  • bigtable.clusters.delete
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.clusters.update
  • bigtable.hotTablets.list
  • bigtable.instances.create
  • bigtable.instances.createTagBinding
  • bigtable.instances.delete
  • bigtable.instances.deleteTagBinding
  • bigtable.instances.executeQuery
  • bigtable.instances.get
  • bigtable.instances.getIamPolicy
  • bigtable.instances.list
  • bigtable.instances.listEffectiveTags
  • bigtable.instances.listTagBindings
  • bigtable.instances.ping
  • bigtable.instances.setIamPolicy
  • bigtable.instances.update
  • bigtable.keyvisualizer.get
  • bigtable.keyvisualizer.list
  • bigtable.locations.list
  • bigtable.logicalViews.create
  • bigtable.logicalViews.delete
  • bigtable.logicalViews.get
  • bigtable.logicalViews.getIamPolicy
  • bigtable.logicalViews.list
  • bigtable.logicalViews.readRows
  • bigtable.logicalViews.setIamPolicy
  • bigtable.logicalViews.update
  • bigtable.materializedViews.create
  • bigtable.materializedViews.delete
  • bigtable.materializedViews.get
  • bigtable.materializedViews.getIamPolicy
  • bigtable.materializedViews.list
  • bigtable.materializedViews.readRows
  • bigtable.materializedViews.sampleRowKeys
  • bigtable.materializedViews.setIamPolicy
  • bigtable.materializedViews.update
  • bigtable.schemaBundles.create
  • bigtable.schemaBundles.delete
  • bigtable.schemaBundles.get
  • bigtable.schemaBundles.getIamPolicy
  • bigtable.schemaBundles.list
  • bigtable.schemaBundles.setIamPolicy
  • bigtable.schemaBundles.update
  • bigtable.tables.checkConsistency
  • bigtable.tables.create
  • bigtable.tables.delete
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.getIamPolicy
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • bigtable.tables.setIamPolicy
  • bigtable.tables.undelete
  • bigtable.tables.update

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable Reader

(roles/bigtable.reader)

Provides read-only access to the data stored within Bigtable tables. Intended fordata scientists, dashboard generators, and other data-analysis scenarios.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.authorizedViews.get

bigtable.authorizedViews.list

bigtable.authorizedViews.readRows

bigtable.authorizedViews.sampleRowKeys

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.executeQuery

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

  • bigtable.keyvisualizer.get
  • bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.logicalViews.get

bigtable.logicalViews.list

bigtable.logicalViews.readRows

bigtable.materializedViews.get

bigtable.materializedViews.list

bigtable.materializedViews.readRows

bigtable.materializedViews.sampleRowKeys

bigtable.schemaBundles.get

bigtable.schemaBundles.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable User

(roles/bigtable.user)

Provides read-write access to the data stored within Bigtable tables. Intended forapplication developers or service accounts.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.authorizedViews.get

bigtable.authorizedViews.list

bigtable.authorizedViews.mutateRows

bigtable.authorizedViews.readRows

bigtable.authorizedViews.sampleRowKeys

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.executeQuery

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

  • bigtable.keyvisualizer.get
  • bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.logicalViews.get

bigtable.logicalViews.list

bigtable.logicalViews.readRows

bigtable.materializedViews.get

bigtable.materializedViews.list

bigtable.materializedViews.readRows

bigtable.materializedViews.sampleRowKeys

bigtable.schemaBundles.get

bigtable.schemaBundles.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.mutateRows

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable Viewer

(roles/bigtable.viewer)

Provides no data access. Intended as a minimal set of permissions to accessthe Google Cloud console for Bigtable.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.authorizedViews.get

bigtable.authorizedViews.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.listEffectiveTags

bigtable.instances.listTagBindings

bigtable.locations.list

bigtable.logicalViews.get

bigtable.logicalViews.list

bigtable.materializedViews.get

bigtable.materializedViews.list

bigtable.schemaBundles.get

bigtable.schemaBundles.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.list

resourcemanager.projects.get

Custom roles

If thepredefined roles for Bigtable don't address yourbusiness requirements, you can define your owncustom roleswith permissions that you specify.

If your custom role needs to support access to the Google Cloud console, youmust identify the tasks that users will perform, then ensure that the customrole has the required permissions for each task, as shown in the followingtable. If a custom role does not have all of the required permissions for atask, and a user tries to perform that task, the Google Cloud console won'twork correctly.

Google Cloud console taskRequired permissions
Basic access to the Google Cloud console
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.list
  • bigtable.tables.get
  • bigtable.tables.list
  • resourcemanager.projects.get
Create an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.create
  • bigtable.instances.create
Modify an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.update
  • bigtable.instances.update
Manage replication configuration

Basic access permissions, plus:

  • bigtable.appProfiles.create
  • bigtable.appProfiles.delete
  • bigtable.appProfiles.update
Delete an instance or cluster

Basic access permissions, plus:

  • bigtable.clusters.delete
  • bigtable.instances.delete
Monitor an instance by viewing graphs

Basic access permissions, plus:

  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
Create and update a table

Basic access permissions, plus:

  • bigtable.tables.create
  • bigtable.tables.update
Restore a backup

Basic access permissions, plus:

  • bigtable.backups.list
  • bigtable.tables.create
  • bigtable.backups.restore

IAM management

This section explains how to manage IAM roles and related permissions atproject, instance, table, and backup level.

Project-level IAM management

At the project level, you can grant, change, and revoke IAM roles using theGoogle Cloud console, the IAM API, or the Google Cloud CLI. SeeGranting,Changing, and Revoking Access for detailed instructions.

Once you create a project, you can grant the project level IAM roles to usersbased on the specific access levels.

Required roles

Before you setinstance-level,table-level,backup-level,authorized view-level, or continuous materialized view-level IAMroles for a user, ensure that the user has at least one of the followingproject-level IAM roles:

  • Bigtable Viewer (recommended)
  • Bigtable Reader
  • Bigtable User
  • Bigtable Administrator
Note: You don't need to grant these project-level roles to service accountsbecause service accounts are associated with a Google Cloud project as opposedto a specific user.

Choose a project-level role that has no more permissions than the user actuallyneeds across all instances, tables, backups, authorized views, orcontinuous materialized views in the project. For this reason, you shouldgrant the Bigtable Viewer role in almost all cases.

If the user does not have at least one of these project-level roles, the userwon't have access to Bigtable through the Google Cloud console.The Google Cloud console requires one of these project-level roles so that itcan retrieve information about instances, clusters, tables, or backups on behalfof the user.

Granting instance-level IAM roles

At the instance level, you can grant any of Bigtable'spredefinedroles to a user or service account. You can also grant anycustomroles that you have defined.

Note: After you change a user's instance-level roles, it may take up to twominutes for the changes to take effect.

To grant a predefined or custom role to a user or service account at theinstance level:

Console

  1. Go to the Bigtable instances page in theGoogle Cloud console.

Go to the instances page

  1. Check the boxes next to the instances whose roles you want to manage. Aninformation panel appears.
  2. In the information panel, clickPermissions.
  3. UnderAdd principals, start typing the email address of the user orservice account you want to add, then click the email address of the user orservice account.
  4. Click theSelect a role drop-down list, then clickBigtable to select a predefined role orCustom toselect a custom role.
  5. Click the name of each role that you want to assign.
  6. ClickAdd. The user or service account is granted the roles that youspecified at the instance level.

gcloud

  1. If you don't know the instance ID, use thebigtable instanceslist command to view a list of your project's instances:

gcloud bigtable instances list

  1. Use thebigtable instances set-iam-policy command:

gcloud bigtable instances set-iam-policy
INSTANCE_ID
POLICY_FILE

Provide the following:

+<var>INSTANCE_ID</var>:Thepermanentidentifierfortheinstance.+<var>POLICY_FILE</var>:PathtoalocalJSONorYAMLfilecontaininga[validIAMpolicy][iam-policy].

Granting table-level IAM roles

At the table level, you can grant any of Bigtable'spredefinedroles to a user or service account. You can also grant anycustomroles that you have defined.

Note: After you change a user's table-level roles, it can take up to two minutesfor the changes to take effect.

To grant a predefined or custom role to a user or service account at the tablelevel:

Console

  1. Go to the Bigtable instances page in theGoogle Cloud console.

Go to the instances page

  1. Click the name of the instance that contains the table whose IAM you aresetting.

  2. SelectTables in the left navigation pane.

  3. Check the boxes next to the tables whose roles you want to manage. Aninformation panel appears.

  4. In the information panel, clickPermissions.

  5. UnderAdd principals, start typing the email address of the user orservice account you want to add, then click the email address of the user orservice account.

  6. Click theSelect a role drop-down list, then clickBigtable to select a predefined role orCustom toselect a custom role.

  7. Click the name of each role that you want to assign.

  8. ClickAdd. The user or service account is granted the roles that youspecified at the table level.

gcloud

  1. If you don't know the instance ID, use thebigtable instanceslist command to view a list of your project's instances:

gcloud bigtable instances list

  1. If you don't know the instance's table IDs, use thebigtable instancestables list command to view a list of tables in the instance.

gcloud bigtable instances tables list --instances=INSTANCE_ID

Provide the following:

+<var>INSTANCE_ID</var>:Thepermanentidentifierfortheinstance.
  1. Use thebigtable instances tables set-iam-policy command:

gcloud bigtable instances tables set-iam-policy \TABLE_ID
--instance=INSTANCE_ID
POLICY_FILE

Provide the following:

+<var>TABLE_ID</var>:Thepermanentidentifierforthetable.+<var>INSTANCE_ID</var>:Thepermanentidentifierfortheinstance.+<var>POLICY_FILE</var>:PathtoalocalJSONorYAMLfilecontaininga[validIAMpolicy][iam-policy].

Granting backup-level IAM roles

At the backup level, you can grant any of Bigtable'spredefinedroles to a user or service account. You can also grant anycustomroles that you have defined.

Note: After you change a user's backup-level roles, it can take up to twominutes for the changes to take effect.

To grant a predefined or custom role to a user or service account at the backuplevel:

gcloud

  1. If you don't know the instance ID, use thebigtable instanceslist command to view a list of your project's instances:

gcloud bigtable instances list

  1. If you don't know the backup IDs in an instance, use thebigtableinstances backups list command to view a list of backups in theinstance.

gcloud bigtable backups list --instances=INSTANCE_ID

Provide the following:

+<var>INSTANCE_ID</var>:Thepermanentidentifierfortheinstance.
  1. Use thegcloud bigtable backups set-iam-policy command:

gcloud bigtable backups set-iam-policyBACKUP_ID
--instance=INSTANCE_ID
--cluster=CLUSTER_ID
POLICY_FILE

Provide the following:

+<var>BACKUP_ID</var>:Thepermanentidentifierforthebackup.+<var>INSTANCE_ID</var>:Thepermanentidentifierfortheinstance.+`TABLE_ID`:Thepermanentidentifierforthetable+`POLICY_FILE`:PathtoalocalJSONorYAMLfilecontaininga[validIAMpolicy][iam-policy].

Granting authorized view-level IAM roles

At the authorized view level, you can grant any ofBigtable'spredefined roles to a user or service account.You can also grant anycustom roles that you have defined.

Note: After you change a user's authorized view-level roles, it can takeup to two minutes for the changes to take effect.

To grant a predefined or custom role to a user or service account at theauthorized view level, do the following:

Console

  1. Open the list of Bigtable instances in the Google Cloud console.

Open the instance list

  1. Click the instance that contains the authorized view.
  2. In the navigation pane, clickBigtable Studio.
  3. In the explorer, expand the table andAuthorized views.
  4. Next to the authorized view that you want to modify, click themore_vert action menu,and then clickGrant access.
  5. Add at least one principal and select the role to which that principalor group of principals should be assigned.
  6. Optional: To grant access for additional roles, clickAdd anotherrole and then enter the principal and role for each additional role.
  7. ClickSave.

gcloud

  1. If you don't know the instance ID, use thebigtable instanceslist command to view a list of your project's instances:

gcloud bigtable instances list

  1. If you don't know the instance's table IDs, use thebigtable instancestables list command to view a list of tables in the instance.

gcloud bigtable instances tables list --instances=INSTANCE_ID

  1. If you don't know the view ID, use thebigtable authorized-views listcommand to see a list of all authorized views of the table.

gcloud bigtable instances tables authorized-views list
--instance=INSTANCE_ID
--table=TABLE_ID

  1. Use thebigtable authorized-views set-iam-policy command:

gcloud bigtable authorized-views set-iam-policy TABLE_ID
AUTHORIZED_VIEW_ID --instance=INSTANCE_ID POLICY_FILE

Provide the following:

+`INSTANCE_ID`:Thepermanentidentifierfortheinstance.+`TABLE_ID`:Thepermanentidentifierforthetable+`AUTHORIZED_VIEW_ID`:Thepermanentidentifierfortheview+`POLICY_FILE`:PathtoalocalJSONorYAMLfilecontaininga[validIAMpolicy][iam-policy].

IAM conditions

IAM Conditions let you define and enforceconditional, attribute-based access control for some Google Cloudresources, including Bigtable resources.

In Bigtable, you can enforce conditional access based on thefollowing attributes:

  • Date/time attributes: Use to set temporary (expiring),scheduled, or limited-duration access to Bigtable resources.For example, you can allow a user to access a table until a specified date.
  • Resource attributes: Use to configure conditionalaccess based on a resource name, resource type, or resource serviceattributes. In Bigtable, you can use attributes of instances,clusters, tables, backups, and authorized views to configureconditional access. For example, you can allow a user to manage tables onlyon tables that begin with a specific prefix, or you can allow a user toaccess only a specific table.

For more information about IAM Conditions, see theConditionsoverview.

What's next

Learn more aboutIAM.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.