Identity and Access Management (IAM) lets you control user and group access to Spanner resources at the project, Spanner instance, and Spanner database levels. For example, you can specify that a user has full control of a specific database in a specific instance in your project, but cannot create, modify, or delete any instances in your project. Using access control with IAM lets you grant a permission to a user or group without having to modify each Spanner instance or database permission individually.
This document focuses on the IAM permissions relevant to Spanner and the IAM roles that grant those permissions. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Managing IAM policies section.
Permissions
Permissions allow users to perform specific actions on Spanner
resources. For example, the spanner.databases.read permission allows a user to
read from a database using Spanner's read API, while
spanner.databases.select allows a user to execute a SQL select statement on a
database. You don't directly give users permissions; instead, you grant them
predefined roles or custom roles, which have one or
more permissions bundled within them.
The following tables list the IAM permissions that are associated with Spanner.
Instance configurations
The following permissions apply to Spanner instance configurations. For more information, see the instance configuration references for REST and RPC APIs.
| Instance configuration permission name | Description |
|---|---|
spanner.instanceConfigs.create |
Create a custom instance configuration. |
spanner.instanceConfigs.delete |
Delete a custom instance configuration. |
spanner.instanceConfigs.get |
Get an instance configuration. |
spanner.instanceConfigs.list |
List the set of instance configurations. |
spanner.instanceConfigs.update |
Update a custom instance configuration. |
Instance configuration operations
The following permissions apply to Spanner instance configuration operations. For more information, see the instance references for REST and RPC APIs.
| Instance configuration operation permission name | Description |
|---|---|
spanner.instanceConfigOperations.list |
List instance configuration operations. |
spanner.instanceConfigOperations.get |
Get a specific instance configuration operation. |
spanner.instanceConfigOperations.cancel |
Cancel an instance configuration operation. |
spanner.instanceConfigOperations.delete |
Delete an instance configuration operation. |
Instances
The following permissions apply to Spanner instances. For more information, see the instance references for REST and RPC APIs.
| Instance permission name | Description |
|---|---|
spanner.instances.create |
Create an instance. |
spanner.instances.list |
List instances. |
spanner.instances.get |
Get the configuration of a specific instance. |
spanner.instances.getIamPolicy |
Get an instance's IAM Policy. |
spanner.instances.update |
Update an instance. |
spanner.instances.setIamPolicy |
Set an instance's IAM Policy. |
spanner.instances.delete |
Delete an instance. |
Instance operations
The following permissions apply to Spanner instance operations. For more information, see the instance references for REST and RPC APIs.
| Instance operation permission name | Description |
|---|---|
spanner.instanceOperations.list |
List instance operations. |
spanner.instanceOperations.get |
Get a specific instance operation. |
spanner.instanceOperations.cancel |
Cancel an instance operation. |
spanner.instanceOperations.delete |
Delete an instance operation. |
Partitions
The following permissions apply to Spanner partitions. For more information, see the partition references for REST and RPC APIs.
| Instance permission name | Description |
|---|---|
spanner.instancePartitions.create |
Create a partition. |
spanner.instancePartitions.get |
Get the configuration of a specific partition. |
spanner.instancePartitions.list |
List partitions. |
spanner.instancePartitions.update |
Update a partition. |
spanner.instancePartitions.delete |
Delete a partition. |
Partition operations
The following permissions apply to Spanner partition operations. For more information, see the instance partition references for REST and RPC APIs.
| Instance partition operation permission name | Description |
|---|---|
spanner.instancePartitionOperations.list |
List partition operations. |
spanner.instancePartitionOperations.get |
Get a specific partition operation. |
spanner.instancePartitionOperations.cancel |
Cancel a partition operation. |
spanner.instancePartitionOperations.delete |
Delete a partition operation. |
Databases
The following permissions apply to Spanner databases. For more information, see the database references for REST and RPC APIs.
| Database permission name | Description |
|---|---|
spanner.databases.beginPartitionedDmlTransaction |
Execute a Partitioned Data Manipulation Language (DML) statement. |
spanner.databases.create |
Create a database. |
spanner.databases.createBackup |
Create a backup from the database. Also requires spanner.backups.create to create the backup resource. |
spanner.databases.list |
List databases. |
spanner.databases.update |
Update a database's metadata. |
spanner.databases.updateDdl |
Update a database's schema. |
spanner.databases.get |
Get a database's metadata. |
spanner.databases.getDdl |
Get a database's schema. |
spanner.databases.getIamPolicy |
Get a database's IAM Policy. |
spanner.databases.setIamPolicy |
Set a database's IAM Policy. |
spanner.databases.beginReadOnlyTransaction |
Begin a read-only transaction on a Spanner database. |
spanner.databases.beginOrRollbackReadWriteTransaction |
Begin or roll back a read-write transaction on a Spanner database. |
spanner.databases.read |
Read from a database using the read API. |
spanner.databases.select |
Execute a SQL select statement on a database. |
spanner.databases.write |
Write into a database. |
spanner.databases.drop |
Drop a database. |
spanner.databases.useRoleBasedAccess |
Use fine-grained access control. |
spanner.databases.useDataBoost |
Use the compute resources of Spanner Data Boost to process partitioned queries. |
Database roles
The following permissions apply to Spanner database roles. For more information, see the database references for REST and RPC APIs.
| Database role permission name | Description |
|---|---|
spanner.databaseRoles.list |
List database roles. |
spanner.databaseRoles.use |
Use a specified database role. |
Database operations
The following permissions apply to Spanner database operations. For more information, see the database references for REST and RPC APIs.
| Database operation permission name | Description |
|---|---|
spanner.databaseOperations.list |
List database and restore database operations. |
spanner.databaseOperations.get |
Get a specific database operation. |
spanner.databaseOperations.cancel |
Cancel a database operation. |
Backups
The following permissions apply to Spanner backups. For more information, see the backups references for REST and RPC APIs.
| Backup permission name | Description |
|---|---|
spanner.backups.create |
Create a backup. Also requires spanner.databases.createBackup on the source database. |
spanner.backups.get |
Get a backup. |
spanner.backups.update |
Update a backup. |
spanner.backups.delete |
Delete a backup. |
spanner.backups.list |
List backups. |
spanner.backups.restoreDatabase |
Restore database from a backup. Also requires spanner.databases.create to create the restored database on the target instance. |
spanner.backups.getIamPolicy |
Get a backup's IAM policy. |
spanner.backups.setIamPolicy |
Set a backup's IAM policy. |
Backup operations
The following permissions apply to Spanner backup operations. For more information, see the database references for REST and RPC APIs.
| Backup operation permission name | Description |
|---|---|
spanner.backupOperations.list |
List backup operations. |
spanner.backupOperations.get |
Get a specific backup operation. |
spanner.backupOperations.cancel |
Cancel a backup operation. |
Backup schedules
The following permissions apply to Spanner backup schedules. For more information, see the database references for the REST and RPC APIs.
| Backup schedule permission name | Description |
|---|---|
spanner.backupSchedules.create |
Create a backup schedule. Also requires spanner.databases.createBackup on the source database. |
spanner.backupSchedules.get |
Get a backup schedule. |
spanner.backupSchedules.update |
Update a backup schedule. |
spanner.backupSchedules.delete |
Delete a backup schedule. |
spanner.backupSchedules.list |
List backup schedules. |
Sessions
The following permissions apply to Spanner sessions. For more information, see the database references for REST and RPC APIs.
| Session permission name | Description |
|---|---|
spanner.sessions.create |
Create a session. |
spanner.sessions.get |
Get a session. |
spanner.sessions.delete |
Delete a session. |
spanner.sessions.list |
List sessions. |
Predefined roles
A predefined role is a bundle of one or more permissions. For
example, the predefined role roles/spanner.databaseUser contains the
permissions spanner.databases.read and spanner.databases.write. There are
two types of predefined roles for Spanner:
- Person roles: Granted to users or groups, which allows them to perform actions on the resources in your project.
- Machine roles: Granted to service accounts, which allows machines running as those service accounts to perform actions on the resources in your project.
The following table lists the access control with IAM predefined roles, including a list of the permissions associated with each role:
| Role | Permissions |
|---|---|
Cloud Spanner Admin( Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Admin( A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Writer( This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Admin( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Role User( In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. |
|
Cloud Spanner Database User( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Fine-grained Access User( Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. |
|
Cloud Spanner Restore Admin( A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Viewer( A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
|
Basic roles
Basic roles are project-level roles that predate IAM. See Basic roles for additional details.
Although Spanner supports the following basic roles, you should use one of the predefined roles shown earlier whenever possible. Basic roles include broad permissions that apply to all of your Google Cloud resources; in contrast, Spanner's predefined roles include fine-grained permissions that apply only to Spanner.
| Basic role | Description |
|---|---|
roles/viewer |
Can list and get the metadata of schemas and instances. Can also read and query using SQL on a database. |
roles/editor |
Can do all that a roles/viewer can do. Can also create instances and databases and write data into a database. |
roles/owner |
Can do all that a roles/editor can do. Can also modify access to databases and instances. |
Custom roles
If the predefined roles for Spanner don't address your business requirements, you can define your own custom roles with permissions that you specify.
Before you create a custom role, you must identify the tasks that you need to perform. You can then identify the permissions that are required for each task and add these permissions to the custom role.
Custom roles for service account tasks
For most tasks, it's obvious which permissions you need to add to your custom
role. For example, if you want your service account to be able to create a
database, add the permission spanner.databases.create to your custom role.
However, when you're reading or writing data in a Spanner table, you need to add several different permissions to your custom role. The following table shows which permissions are required for reading and writing data.
| Service account task | Required permissions |
|---|---|
| Read data |
spanner.databases.select
|
| Insert, update, or delete data |
spanner.databases.beginOrRollbackReadWriteTransaction
|
| Create a backup |
spanner.backups.create
|
| Restore a database |
spanner.databases.create
|
Custom roles for Google Cloud console tasks
To identify the list of permissions you need for a given task in the Google Cloud console, you determine the workflow for that task and compile the permissions for that workflow. For example, to view the data in a table, you would follow these steps in the Google Cloud console:
| Step | Permissions |
|---|---|
| 1. Access the project | resourcemanager.projects.get |
| 2. View the list of instances | spanner.instances.list |
| 3. Select an instance | spanner.instances.get |
| 4. View the list of databases | spanner.databases.list |
| 5. Select a database and a table | spanner.databases.getDdl |
| 6. View data in a table | spanner.databases.select, spanner.sessions.create, spanner.sessions.delete |
In this example, you need these permissions:
resourcemanager.projects.getspanner.databases.getDdlspanner.databases.listspanner.databases.selectspanner.instances.getspanner.instances.listspanner.sessions.createspanner.sessions.delete
The following table lists the permissions required for actions in the Google Cloud console.
| Action | Permissions |
|---|---|
| View the list of instances on the Instances page |
|
| View the list on the Permissions tab of the Instance page |
|
| Add principals on the Permissions tab of the Instance page |
|
| Select an instance from the instance list to view the Instance Details page |
|
| Create an instance |
|
| Delete an instance |
|
| Modify an instance |
|
| Create a partition |
|
| Delete a partition |
|
| Modify a partition |
|
| View the graphs in the Monitor tab on the Instance details page or the Database details page |
|
| View the list of databases on the Instance details page |
|
| View the list on the Permissions tab of the Database details page |
|
| Add principals on the Permissions tab of the Database details page |
|
| Select a database from the database list and view the schema on the Database details page |
|
| Create a database |
|
| Delete a database |
|
Create a table Update a table schema |
|
View data in the Data tab of the Database details page Create and run a query |
|
| Modify data in a table |
|
| View the Backup/Restore page |
|
| View the list of backup operations |
|
| View the list of restore operations |
|
| Create a backup |
|
| Restore a database from a backup |
|
| Update a backup |
|
| Delete a backup |
|
| Create a backup schedule |
|
| Update a backup schedule |
|
| Delete a backup schedule |
|
Spanner IAM policy management
You can get, set, and test IAM policies using the REST or RPC APIs on Spanner instance, database, and backup resources.
Instances
| REST API | RPC API |
|---|---|
projects.instances.getIamPolicy |
GetIamPolicy |
projects.instances.setIamPolicy |
SetIamPolicy |
projects.instances.testIamPermissions |
TestIamPermissions |
Databases
| REST API | RPC API |
|---|---|
projects.instances.databases.getIamPolicy |
GetIamPolicy |
projects.instances.databases.setIamPolicy |
SetIamPolicy |
projects.instances.databases.testIamPermissions |
TestIamPermissions |
Backups
| REST API | RPC API |
|---|---|
projects.instances.backups.getIamPolicy |
GetIamPolicy |
projects.instances.backups.setIamPolicy |
SetIamPolicy |
projects.instances.backups.testIamPermissions |
TestIamPermissions |
What's next
- Learn more about Identity and Access Management.
- Learn how to apply IAM roles for a Spanner database, instance, or Google Cloud project.
- Learn how to control access to Google Cloud resources, including Spanner, from the internet.