IAM policy for Spanner Databases

Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case:

google_spanner_database_iam_policy

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_spanner_database_iam_policy" "database" {
  instance    = "your-instance-name"
  database    = "your-database-name"
  policy_data = data.google_iam_policy.admin.policy_data
}

With IAM Conditions:

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]

    condition {
      title       = "My Role"
      description = "Grant permissions on my_role"
      expression  = "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))"
    }
  }
}

resource "google_spanner_database_iam_policy" "database" {
  instance    = "your-instance-name"
  database    = "your-database-name"
  policy_data = data.google_iam_policy.admin.policy_data
}

google_spanner_database_iam_binding

resource "google_spanner_database_iam_binding" "database" {
  instance = "your-instance-name"
  database = "your-database-name"
  role     = "roles/compute.networkUser"

  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions:

resource "google_spanner_database_iam_binding" "database" {
  instance = "your-instance-name"
  database = "your-database-name"
  role     = "roles/compute.networkUser"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "My Role"
    description = "Grant permissions on my_role"
    expression  = "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))"
  }
}

google_spanner_database_iam_member

resource "google_spanner_database_iam_member" "database" {
  instance = "your-instance-name"
  database = "your-database-name"
  role     = "roles/compute.networkUser"
  member   = "user:jane@example.com"
}

With IAM Conditions:

resource "google_spanner_database_iam_member" "database" {
  instance = "your-instance-name"
  database = "your-database-name"
  role     = "roles/compute.networkUser"
  member   = "user:jane@example.com"

  condition {
    title       = "My Role"
    description = "Grant permissions on my_role"
    expression  = "(resource.type == \"spanner.googleapis.com/DatabaseRole\" && (resource.name.endsWith(\"/myrole\")))"
  }
}

Argument Reference

The following arguments are supported:


The condition block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

For all import syntaxes, the "resource in question" can take any of the following forms:

Importing IAM members

IAM member imports use space-delimited identifiers that contains the database, role, and member. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM members:

import {
  id = "{{project}}/{{instance}}/{{database}} roles/viewer user:foo@example.com"
  to = google_spanner_database_iam_member.default
}

The terraform import command can also be used:

$ terraform import google_spanner_database_iam_member.default "{{project}}/{{instance}}/{{database}} roles/viewer user:foo@example.com"

Importing IAM bindings

IAM binding imports use space-delimited identifiers that contain the resource's database and role. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM bindings:

import {
  id = "{{project}}/{{instance}}/{{database}} roles/viewer"
  to = google_spanner_database_iam_binding.default
}

The terraform import command can also be used:

$ terraform import google_spanner_database_iam_binding.default "{{project}}/{{instance}}/{{database}} roles/viewer"

Importing IAM policies

IAM policy imports use the identifier of the Spanner Database resource in question. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM policies:

import {
  id = {{project}}/{{instance}}/{{database}}
  to = google_spanner_database_iam_policy.default
}

The terraform import command can also be used:

$ terraform import google_spanner_database_iam_policy.default {{project}}/{{instance}}/{{database}}