This page describes how you can control Cloud SQL project access and permissions using Identity and Access Management (IAM).
Overview
Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Cloud SQL IAM roles and permissions. For a detailed description of GCP IAM, see the IAM documentation.
Cloud SQL provides a set of predefined roles designed to help you easily control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Cloud SQL roles. In particular, the primitive roles provide access to resources across Google Cloud Platform, rather than just for Cloud SQL. For more information about primitive roles, see Primitive roles.
Permissions and roles
This section summarizes the permissions and roles Cloud SQL supports.
Predefined roles
Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.
You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.
The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role. Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.
The primitive roles (Owner, Editor, Viewer) provide permissions across Google Cloud Platform. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following GCP permissions, which are needed for general GCP usage:
resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.get
The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:
| Role | Name | Cloud SQL permissions | Description |
|---|---|---|---|
roles/owner |
Owner | cloudsql.* |
Full access and control for all Google Cloud Platform resources; manage user access |
roles/writer |
Editor | All cloudsql permissions except for cloudsql.*.getIamPolicy & cloudsql.*.setIamPolicy |
Read-write access to all Google Cloud Platform and Cloud SQL resources (full control except for the ability to modify permissions) |
roles/reader |
Viewer | cloudsql.*.exportcloudsql.*.getcloudsql.*.list |
Read-only access to all Google Cloud Platform resources, including Cloud SQL resources |
roles/cloudsql.admin |
Cloud SQL Admin | cloudsql.* |
Full control for all Cloud SQL resources. |
roles/cloudsql.editor |
Cloud SQL Editor |
cloudsql.instances.addServerCacloudsql.instances.connectcloudsql.instances.exportcloudsql.instances.failovercloudsql.instances.getcloudsql.instances.listcloudsql.instances.listServerCacloudsql.instances.restartcloudsql.instances.rotateServerCacloudsql.instances.truncateLogcloudsql.instances.updatecloudsql.databases.createcloudsql.databases.getcloudsql.databases.listcloudsql.databases.updatecloudsql.backupRuns.createcloudsql.backupRuns.getcloudsql.backupRuns.listcloudsql.sslCerts.getcloudsql.sslCerts.listcloudsql.users.list |
Manage specific instances. No ability to see or modify permissions, nor modify users or sslCerts. No ability to import data or restore from a backup, nor clone, delete, or promote instances. No ability to start or stop replicas. No ability to delete databases, replicas, or backups. |
roles/cloudsql.viewer |
Cloud SQL Viewer |
cloudsql.*.exportcloudsql.*.getcloudsql.*.listcloudsql.instances.listServerCa
|
Read-only access to all Cloud SQL resources. |
roles/cloudsql.client |
Cloud SQL Client |
cloudsql.instances.connectcloudsql.instances.get |
Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Proxy. Not required for accessing an instance using IP addresses. |
Permissions and their roles
The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its legacy (primitive) role.
| Permission | Cloud SQL roles | Legacy role |
|---|---|---|
cloudsql.backupRuns.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.backupRuns.delete |
Cloud SQL Admin | Editor |
cloudsql.backupRuns.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.backupRuns.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.databases.delete |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.databases.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.getIamPolicy
|
Cloud SQL Admin | Owner |
cloudsql.databases.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.setIamPolicy
|
Cloud SQL Admin | Owner |
cloudsql.databases.update |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instance.addServerCa
|
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.clone |
Cloud SQL Admin | Editor |
cloudsql.instances.connect |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor |
Editor |
cloudsql.instances.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.delete |
Cloud SQL Admin | Editor |
cloudsql.instances.demoteMaster |
Cloud SQL Admin | Editor |
cloudsql.instances.export |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.failover |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.get |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.getIamPolicy
|
Cloud SQL Admin | Owner |
cloudsql.instances.import |
Cloud SQL Admin | Editor |
cloudsql.instances.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instance.listServerCa
|
Cloud SQL Viewer | Viewer |
cloudsql.instances.promoteReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.resetSslConfig |
Cloud SQL Admin | Editor |
cloudsql.instances.restart |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.restoreBackup |
Cloud SQL Admin | Editor |
cloudsql.instance.rotateServerCa
|
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.setIamPolicy
|
Cloud SQL Admin | Owner |
cloudsql.instances.startReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.stopReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.truncateLog |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.update |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.sslCerts.create |
Cloud SQL Admin | Editor |
cloudsql.sslCerts.delete |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.sslCerts.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.sslCerts.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.users.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.users.delete |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.users.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.users.update |
Cloud SQL Admin | Editor |
Custom roles
If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.
When you create custom roles for Cloud SQL,
make sure that if you include either cloudsql.instances.list
or cloudsql.instances.get, that you include them both. Otherwise,
the GCP Console will not function correctly for Cloud SQL.
Required permissions for common tasks in the GCP Console
| Task | Required additional permissions |
|---|---|
| Displaying the instance listing page |
cloudsql.instances.listresourcemanager.projects.get
|
| Creating an instance |
cloudsql.instances.createcloudsql.instances.getcloudsql.instances.listresourcemanager.projects.get
|
| Connecting to an instance from the Cloud Shell |
cloudsql.instances.getcloudsql.instances.listcloudsql.instances.updateresourcemanager.projects.get
|
| Creating a user |
cloudsql.instances.getcloudsql.instances.listcloudsql.users.createcloudsql.users.listresourcemanager.projects.get
|
| Viewing instance information |
cloudsql.instances.getcloudsql.instances.listcloudsql.users.listmonitoring.timeSeries.listresourcemanager.projects.get
|
Required permissions for gcloud sql commands
| Command | Required permissions |
|---|---|
gcloud sql backups create |
cloudsql.backupRuns.create |
gcloud sql backups delete |
cloudsql.backupRuns.delete |
gcloud sql backups describe |
cloudsql.backupRuns.get |
gcloud sql backups list |
cloudsql.backupRuns.list |
gcloud sql backups restore |
cloudsql.backupRuns.getcloudsql.instances.restoreBackup |
gcloud sql connect |
cloudsql.instances.getcloudsql.instances.update |
gcloud sql databases create |
cloudsql.databases.create |
gcloud sql databases delete |
cloudsql.databases.delete |
gcloud sql databases describe |
cloudsql.databases.get |
gcloud sql databases list |
cloudsql.databases.list |
gcloud sql databases patch |
cloudsql.databases.getcloudsql.databases.update |
gcloud sql export |
cloudsql.instances.export |
gcloud sql flags list |
None |
gcloud sql import |
cloudsql.instances.import |
gcloud sql instances clone |
cloudsql.instances.clone |
gcloud sql instances create |
cloudsql.instances.create |
gcloud sql instances delete |
cloudsql.instances.delete |
gcloud sql instances describe |
cloudsql.instances.get |
gcloud sql instances export |
cloudsql.instances.export |
gcloud sql instances failover |
cloudsql.instances.failover |
gcloud sql instances import |
cloudsql.instances.import |
gcloud sql instances list |
cloudsql.instances.list |
gcloud sql instances patch |
cloudsql.instances.getcloudsql.instances.update |
gcloud sql instances promote-replica |
cloudsql.instances.promoteReplica |
gcloud sql instances reset-ssl-config |
cloudsql.instances.resetSslConfig |
gcloud sql instances restart |
cloudsql.instances.restart |
gcloud sql instances restore-backup |
cloudsql.backupRuns.getcloudsql.instances.restoreBackup |
gcloud sql operations describe |
cloudsql.instances.get |
gcloud sql operations list |
cloudsql.instances.get |
gcloud sql operations wait |
cloudsql.instances.get |
gcloud sql ssl client-certs create |
cloudsql.sslCerts.create |
gcloud sql ssl client-certs delete |
cloudsql.sslCerts.delete |
gcloud sql ssl client-certs describe |
cloudsql.sslCerts.list |
gcloud sql ssl client-certs list |
cloudsql.sslCerts.list |
gcloud sql tiers list |
None |
gcloud sql users create |
cloudsql.users.create |
gcloud sql users delete |
cloudsql.users.delete |
gcloud sql users list |
cloudsql.users.list |
gcloud sql users set-password |
cloudsql.users.update |
Required permissions for API methods
The following table lists the permissions that the caller must have to call
each method in the Cloud SQL API, or to perform
tasks using GCP tools that use the API (such as the
Google Cloud Platform Console or the gcloud command line tool).
All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.
| Method | Required permissions |
|---|---|
backupRuns.delete |
cloudsql.backupRuns.delete |
backupRuns.get |
cloudsql.backupRuns.get |
backupRuns.insert |
cloudsql.backupRuns.create |
backupRuns.list |
cloudsql.backupRuns.list |
databases.delete |
cloudsql.databases.delete |
databases.get |
cloudsql.databases.get |
databases.insert |
cloudsql.databases.create |
databases.list |
cloudsql.databases.list |
databases.patch |
cloudsql.databases.update, cloudsql.databases.get |
databases.update |
cloudsql.databases.update |
flags.list |
None |
instances.clone |
cloudsql.instances.clone |
instances.delete |
cloudsql.instances.delete |
instances.export |
cloudsql.instances.get |
instances.failover |
cloudsql.instances.failover |
instances.get |
cloudsql.instances.export |
instances.import |
cloudsql.instances.import |
instances.insert |
cloudsql.instances.create |
instances.list |
cloudsql.instances.list |
instances.patch |
cloudsql.instances.get, cloudsql.instances.update |
instances.promoteReplica |
cloudsql.instances.promoteReplica |
instances.resetSslConfig |
cloudsql.instances.resetSslConfig |
instances.restart |
cloudsql.instances.restart |
instances.restoreBackup |
cloudsql.instances.restoreBackup, cloudsql.backupRuns.get |
instances.startReplica |
cloudsql.instances.startReplica |
instances.stopReplica |
cloudsql.instances.stopReplica |
instances.truncateLog |
cloudsql.instances.truncateLog |
instances.update |
cloudsql.instances.update |
operations.get |
cloudsql.instances.get |
operations.list |
cloudsql.instances.get |
sslCerts.delete |
cloudsql.sslCerts.delete |
sslCerts.get |
cloudsql.sslCerts.get |
sslCerts.insert |
cloudsql.sslCerts.create |
sslCerts.list |
cloudsql.sslCerts.list |
users.delete |
cloudsql.users.delete |
users.insert |
cloudsql.users.create |
users.list |
cloudsql.users.list |
users.update |
cloudsql.users.update |
Managing Cloud SQL for MySQL IAM
You can get and set IAM policies and roles using the Google Cloud Platform Console, the IAM methods of the API, or the Cloud SDK. For more information, see Granting, Changing, and Revoking Access to Project Members.
What's next
- Learn how to grant and revoke access to project members.
- Learn more about IAM.
- Learn more about primitive roles.
- Learn about instance access control.
- Learn about database access control.
- Learn more about custom roles.
