terraform-provider-google/website/docs/r/spanner_database_iam.html.markdown

---
layout: "google"
page_title: "Google: google_spanner_database_iam"
sidebar_current: "docs-google-spanner-database-iam"
description: |-
 Collection of resources to manage IAM policy for a Spanner database.
---

# IAM policy for Spanner databases

Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case:

* `google_spanner_database_iam_policy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached.

~> **Warning:** It's entirely possibly to lock yourself out of your database using `google_spanner_database_iam_policy`. Any permissions granted by default will be removed unless you include them in your config.

* `google_spanner_database_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved.
* `google_spanner_database_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved.

~> **Note:** `google_spanner_database_iam_policy` **cannot** be used in conjunction with `google_spanner_database_iam_binding` and `google_spanner_database_iam_member` or they will fight over what your policy should be.

~> **Note:** `google_spanner_database_iam_binding` resources **can be** used in conjunction with `google_spanner_database_iam_member` resources **only if** they do not grant privilege to the same role.

## google\_spanner\_database\_iam\_policy

```hcl
data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_spanner_database_iam_policy" "database" {
  instance    = "your-instance-name"
  database    = "your-database-name"
  policy_data = "${data.google_iam_policy.admin.policy_data}"
}
```

## google\_spanner\_database\_iam\_binding

```hcl
resource "google_spanner_database_iam_binding" "database" {
  instance   = "your-instance-name"
  database   = "your-database-name"
  role       = "roles/compute.networkUser"

  members = [
    "user:jane@example.com",
  ]
}
```

## google\_spanner\_database\_iam\_member

```hcl
resource "google_spanner_database_iam_member" "database" {
  instance   = "your-instance-name"
  database   = "your-database-name"
  role       = "roles/compute.networkUser"
  member     = "user:jane@example.com"
}
```

## Argument Reference

The following arguments are supported:

* `database` - (Required) The name of the Spanner database.

* `instance` - (Required) The name of the Spanner instance the database belongs to.

* `member/members` - (Required) Identities that will be granted the privilege in `role`.
  Each entry can have one of the following values:
  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

* `role` - (Required) The role that should be applied. Only one
    `google_spanner_database_iam_binding` can be used per role. Note that custom roles must be of the format
    `[projects|organizations]/{parent-name}/roles/{role-name}`.

* `policy_data` - (Required only by `google_spanner_database_iam_policy`) The policy data generated by
  a `google_iam_policy` data source.

* `project` - (Optional) The ID of the project in which the resource belongs. If it
    is not provided, the provider project is used.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are
exported:

* `etag` - (Computed) The etag of the database's IAM policy.

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* {{project}}/{{instance}}/{{database}}
* {{instance}}/{{database}} (project is taken from provider project)

IAM member imports use space-delimited identifiers; the resource in question, the role, and the member identity, e.g.

```
$ terraform import google_spanner_database_iam_member.database "project-name/instance-name/database-name roles/viewer user:foo@example.com"
```

IAM binding imports use space-delimited identifiers; the resource in question and the role, e.g.

```
$ terraform import google_spanner_database_iam_binding.database "project-name/instance-name/database-name roles/viewer"
```

IAM policy imports use the identifier of the resource in question, e.g.

```
$ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name
```
Add Spanner database IAM docs 2018-05-02 17:58:04 +00:00			`---`
			`layout: "google"`
			`page_title: "Google: google_spanner_database_iam"`
			`sidebar_current: "docs-google-spanner-database-iam"`
			`description: \|-`
			`Collection of resources to manage IAM policy for a Spanner database.`
			`---`

			`# IAM policy for Spanner databases`

			`Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case:`

			* `google_spanner_database_iam_policy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached.

			~> Warning: It's entirely possibly to lock yourself out of your database using `google_spanner_database_iam_policy`. Any permissions granted by default will be removed unless you include them in your config.

			* `google_spanner_database_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved.
			* `google_spanner_database_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved.

			~> Note: `google_spanner_database_iam_policy` cannot be used in conjunction with `google_spanner_database_iam_binding` and `google_spanner_database_iam_member` or they will fight over what your policy should be.

			~> Note: `google_spanner_database_iam_binding` resources can be used in conjunction with `google_spanner_database_iam_member` resources only if they do not grant privilege to the same role.

			`## google\_spanner\_database\_iam\_policy`

			```hcl
			`data "google_iam_policy" "admin" {`
			`binding {`
			`role = "roles/editor"`

			`members = [`
			`"user:jane@example.com",`
			`]`
			`}`
			`}`

			`resource "google_spanner_database_iam_policy" "database" {`
			`instance = "your-instance-name"`
			`database = "your-database-name"`
			`policy_data = "${data.google_iam_policy.admin.policy_data}"`
			`}`
			```

			`## google\_spanner\_database\_iam\_binding`

			```hcl
			`resource "google_spanner_database_iam_binding" "database" {`
			`instance = "your-instance-name"`
			`database = "your-database-name"`
			`role = "roles/compute.networkUser"`

			`members = [`
			`"user:jane@example.com",`
			`]`
			`}`
			```

			`## google\_spanner\_database\_iam\_member`

			```hcl
			`resource "google_spanner_database_iam_member" "database" {`
			`instance = "your-instance-name"`
			`database = "your-database-name"`
			`role = "roles/compute.networkUser"`
			`member = "user:jane@example.com"`
			`}`
			```

			`## Argument Reference`

			`The following arguments are supported:`

			* `database` - (Required) The name of the Spanner database.

			* `instance` - (Required) The name of the Spanner instance the database belongs to.

			* `member/members` - (Required) Identities that will be granted the privilege in `role`.
			`Each entry can have one of the following values:`
			`* allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.`
			`* allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.`
			`* user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.`
			`* serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.`
			`* group:{emailid}: An email address that represents a Google group. For example, admins@example.com.`
Replace "Google Apps domain" with "G Suite domain" Google Apps is a former name. Also, I mention primary domain and domain alias. It seems I have to use the primary domain. Otherwise, GCP replaces the field to the primary one. And every time Terraform plan returns a diff about it. I used domain alias for `members` arg in `google_project_iam_member` resource. `terraform apply` was succeeded. However, when I run modify other resources, I got a diff about the `google_project_iam_member` resource. 2018-09-22 11:51:42 +00:00			`* domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.`
Add Spanner database IAM docs 2018-05-02 17:58:04 +00:00
			* `role` - (Required) The role that should be applied. Only one
			`google_spanner_database_iam_binding` can be used per role. Note that custom roles must be of the format
			`[projects\|organizations]/{parent-name}/roles/{role-name}`.

			* `policy_data` - (Required only by `google_spanner_database_iam_policy`) The policy data generated by
			a `google_iam_policy` data source.

			* `project` - (Optional) The ID of the project in which the resource belongs. If it
			`is not provided, the provider project is used.`

			`## Attributes Reference`

			`In addition to the arguments listed above, the following computed attributes are`
			`exported:`

			* `etag` - (Computed) The etag of the database's IAM policy.

			`## Import`

			`For all import syntaxes, the "resource in question" can take any of the following forms:`

			`* {{project}}/{{instance}}/{{database}}`
			`* {{instance}}/{{database}} (project is taken from provider project)`

Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			`IAM member imports use space-delimited identifiers; the resource in question, the role, and the member identity, e.g.`
Add Spanner database IAM docs 2018-05-02 17:58:04 +00:00
			```
Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			`$ terraform import google_spanner_database_iam_member.database "project-name/instance-name/database-name roles/viewer user:foo@example.com"`
Add Spanner database IAM docs 2018-05-02 17:58:04 +00:00			```

			`IAM binding imports use space-delimited identifiers; the resource in question and the role, e.g.`

			```
			`$ terraform import google_spanner_database_iam_binding.database "project-name/instance-name/database-name roles/viewer"`
			```

			`IAM policy imports use the identifier of the resource in question, e.g.`

			```
			`$ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name`
			```