Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to grant your Google Kubernetes Engine (GKE)
cluster permissions to access your Spanner database.
GKE is a managed Kubernetes service that makes it easy to deploy
and manage containerized applications. By using GKE and
Spanner together, you can take advantage of scalability,
reliability, security, and high availability in your application layer and in
your database layer.
Your GKE cluster can access the Spanner API through
Workload Identity Federation for GKE.
Workload Identity Federation for GKE allows a Kubernetes service account in your cluster to act
as an IAM service account. The IAM service account provides Application Default
Credentials
for your pods, so that you don't need to configure each pod to use your personal
user credential.
If you haven't done so already, enable Workload Identity Federation for GKE for your
GKE cluster. You can enable Workload Identity Federation for GKE on a new
cluster by creating a new node pool
or you can enable Workload Identity Federation for GKE on an existing node pool.
GKE autopilot clusters
have Workload Identity Federation for GKE enabled by default. For more information, see
Enable Workload Identity Federation for GKE.
Authenticate connection to Spanner with Workload Identity Federation for GKE
Configure your applications to authenticate to Google Cloud by using
Workload Identity Federation for GKE.
Create an IAM allow policy that grants the necessary
Spanner IAM roles to the Kubernetes
ServiceAccount object. The following example grants the Spanner Database
User (roles/spanner.databaseUser) role:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Connect Spanner with a GKE cluster\n\nThis page describes how to grant your [Google Kubernetes Engine (GKE)](/kubernetes-engine/docs/concepts/kubernetes-engine-overview)\ncluster permissions to access your Spanner database.\n\nGKE is a managed Kubernetes service that makes it easy to deploy\nand manage containerized applications. By using GKE and\nSpanner together, you can take advantage of scalability,\nreliability, security, and high availability in your application layer and in\nyour database layer.\n\nYour GKE cluster can access the Spanner API through\n[Workload Identity Federation for GKE](/kubernetes-engine/docs/concepts/workload-identity).\nWorkload Identity Federation for GKE allows a Kubernetes service account in your cluster to act\nas an IAM service account. The IAM service account provides [Application Default\nCredentials](/docs/authentication/application-default-credentials)\nfor your pods, so that you don't need to configure each pod to use your personal\nuser credential.\n\nAfter you configure your applications to authenticate using Workload Identity Federation for GKE,\nyou can use [Spanner client libraries](/spanner/docs/reference/libraries)\nto query your Spanner databases. You can also [migrate your\napplications to your GKE node pools](/kubernetes-engine/docs/how-to/workload-identity#migrate_applications_to).\n\nTo create a connection in a sample environment, try the\n[Connecting Spanner with GKE Autopilot codelab](https://codelabs.developers.google.com/codelabs/cloud-spanner-gke-autopilot).\n\nEnable Workload Identity Federation for GKE\n-------------------------------------------\n\nIf you haven't done so already, enable Workload Identity Federation for GKE for your\nGKE cluster. You can enable Workload Identity Federation for GKE on a new\ncluster by creating a [new node pool](/kubernetes-engine/docs/how-to/workload-identity#enable_on_cluster)\nor you can enable Workload Identity Federation for GKE on an [existing node pool](/kubernetes-engine/docs/how-to/workload-identity#enable-existing-cluster).\n[GKE autopilot clusters](/kubernetes-engine/docs/concepts/autopilot-overview)\nhave Workload Identity Federation for GKE enabled by default. For more information, see\n[Enable Workload Identity Federation for GKE](/kubernetes-engine/docs/how-to/workload-identity#enable).\n\nAuthenticate connection to Spanner with Workload Identity Federation for GKE\n----------------------------------------------------------------------------\n\nConfigure your applications to authenticate to Google Cloud by using\nWorkload Identity Federation for GKE.\n\n1. Ensure that your GKE Pod uses a Kubernetes `ServiceAccount`\n object, as described in [Configure authorization and principals](/kubernetes-engine/docs/how-to/workload-identity#configure-authz-principals).\n\n2. Create an IAM allow policy that grants the necessary\n Spanner IAM roles to the Kubernetes\n `ServiceAccount` object. The following example grants the Spanner Database\n User (`roles/spanner.databaseUser`) role:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"principal://iam.googleapis.com/projects/\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e/locations/global/workloadIdentityPools/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog/subject/ns/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/sa/\u003cvar translate=\"no\"\u003eKSA_NAME\u003c/var\u003e \\\n --role=roles/spanner.databaseUser \\\n --condition=None\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The project ID of the GKE cluster.\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: The numerical Google Cloud project number.\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: The Kubernetes namespace that contains the ServiceAccount.\n - \u003cvar translate=\"no\"\u003eKSA_NAME\u003c/var\u003e: The name of the ServiceAccount.\n\nConnect Spanner databases\n-------------------------\n\nAfter your application Pod is authenticated, you can use one of the\n[Spanner client libraries](/spanner/docs/reference/libraries)\nto query your Spanner database.\n\nWhat's next\n-----------\n\n- Learn how to [deploy your application to the GKE cluster](/kubernetes-engine/docs/deploy-app-cluster).\n- Learn how to [deploy your application using GKE Autopilot\n and Spanner](/kubernetes-engine/docs/tutorials/gke-spanner-integration).\n- Learn more about how to [migrate existing workloads to Workload Identity Federation for GKE](/kubernetes-engine/docs/how-to/workload-identity#migrate_applications_to).\n- Learn more about [SQL best practices](/spanner/docs/sql-best-practices).\n- Integrate Spanner with other ORMs including [Hibernate ORM](/spanner/docs/use-hibernate), [gorm](/spanner/docs/use-gorm), and [Django ORM](/spanner/docs/django-orm)."]]
