Project access control

This page describes how you can control Cloud SQL project access and permissions using Identity and Access Management (IAM).

Overview

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud SQL IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.

Cloud SQL provides a set of predefined roles designed to help you control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the legacy basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Cloud SQL roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Cloud SQL. For more information about basic roles, see Basic roles.

You can set an IAM policy at any level in the resource hierarchy: the organization level, the folder level, the project level, or the resource level. Resources inherit the policies of all of their parent resources.

Cloud SQL also supports IAM Conditions, which can refine roles and permissions at the level of individual Cloud SQL resources, such as instances within a project. You can add a condition as a property of an IAM policy binding to specify a subset of instances that principals can access.

IAM Conditions lets you grant roles based on a variety of attributes. For example, you can allow access only at certain dates and times or grant access only to Cloud SQL resources with certain names. This page includes some examples of using IAM Conditions with Cloud SQL. For more information about IAM Conditions, see the Overview of IAM Conditions page.

Permissions and roles

This section summarizes the permissions and roles Cloud SQL supports.

Predefined roles

Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to principals. The role you grant to a principal controls what actions the principal can take. Principals can be individuals, groups, or service accounts.

You can grant multiple roles to the same principal, and you can change the roles granted to a principal at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role. Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.use

The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:

Role
Name
Description
Cloud SQL permissions
roles/owner
Owner (legacy role)
Full access and control for all Google Cloud resources; manage user access.

cloudsql.*
roles/editor
Editor (legacy role)
Read-write access to all Google Cloud and Cloud SQL resources (full control except for the ability to modify permissions).

All cloudsql permissions except for
cloudsql.*.getIamPolicy &
cloudsql.*.setIamPolicy
roles/viewer
Viewer (legacy role)
Read-only access to all Google Cloud resources, including Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
roles/cloudsql.admin
Cloud SQL Admin
Full control for all Cloud SQL resources.

cloudsql.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
roles/cloudsql.editor
Cloud SQL Editor
Manage Cloud SQL resources. No ability to see or modify permissions, nor modify users or ssl Certs. No ability to import data or restore from a backup, nor clone, delete, or promote instances. No ability to start or stop replicas. No ability to delete databases, replicas, or backups.

cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
roles/cloudsql.viewer
Cloud SQL Viewer
Read-only access to all Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
cloudsql.instances.listServerCa
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
roles/cloudsql.client
Cloud SQL Client
Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Auth proxy. Not required for accessing an instance using IP addresses.

cloudsql.instances.connect
cloudsql.instances.get
roles/cloudsql.instanceUser
Cloud SQL Instance User
Role allowing access to a Cloud SQL instance.

cloudsql.instances.get
cloudsql.instances.login

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.

When you create custom roles for Cloud SQL, make sure that if you include either cloudsql.instances.list or cloudsql.instances.get, that you include them both. Otherwise, the Cloud Console will not function correctly for Cloud SQL.

Required permissions for common tasks in the Cloud Console

Task Required additional permissions
Displaying the instance listing page cloudsql.instances.list
resourcemanager.projects.get
Creating an instance cloudsql.instances.create
cloudsql.instances.get
cloudsql.instances.list
resourcemanager.projects.get
Connecting to an instance from the Cloud Shell cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
resourcemanager.projects.get
Creating a user cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.create
cloudsql.users.list
resourcemanager.projects.get
Viewing instance information cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.list
monitoring.timeSeries.list
resourcemanager.projects.get

Required permissions for gcloud sql commands

Command Required permissions
gcloud sql backups create cloudsql.backupRuns.create
gcloud sql backups delete cloudsql.backupRuns.delete
gcloud sql backups describe cloudsql.backupRuns.get
gcloud sql backups list cloudsql.backupRuns.list
gcloud sql backups restore cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql connect cloudsql.instances.get
cloudsql.instances.update
gcloud sql databases create cloudsql.databases.create
gcloud sql databases delete cloudsql.databases.delete
gcloud sql databases describe cloudsql.databases.get
gcloud sql databases list cloudsql.databases.list
gcloud sql databases patch cloudsql.databases.get
cloudsql.databases.update
gcloud sql export cloudsql.instances.export
cloudsql.instances.get
gcloud sql flags list None
gcloud sql import cloudsql.instances.import
gcloud sql instances clone cloudsql.instances.clone
gcloud sql instances create cloudsql.instances.create
gcloud sql instances delete cloudsql.instances.delete
gcloud sql instances describe cloudsql.instances.get
gcloud sql instances failover cloudsql.instances.failover
gcloud sql instances import cloudsql.instances.import
gcloud sql instances list cloudsql.instances.list
gcloud sql instances patch cloudsql.instances.get
cloudsql.instances.update
gcloud sql instances promote-replica cloudsql.instances.promoteReplica
gcloud sql instances reset-ssl-config cloudsql.instances.resetSslConfig
gcloud sql instances restart cloudsql.instances.restart
gcloud sql instances restore-backup cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql operations describe cloudsql.instances.get
gcloud sql operations list cloudsql.instances.get
gcloud sql operations wait cloudsql.instances.get
gcloud sql ssl client-certs create cloudsql.sslCerts.create
gcloud sql ssl client-certs delete cloudsql.sslCerts.delete
gcloud sql ssl client-certs describe cloudsql.sslCerts.list
gcloud sql ssl client-certs list cloudsql.sslCerts.list
gcloud sql tiers list None
gcloud sql users create cloudsql.users.create
gcloud sql users delete cloudsql.users.delete
gcloud sql users list cloudsql.users.list
gcloud sql users set-password cloudsql.users.update

Required permissions for API methods

The following table lists the permissions that the caller must have to call each method in the Cloud SQL Admin API, or to perform tasks using Google Cloud tools that use the API (such as the Google Cloud Console or the gcloud command line tool).

All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.

Method Required permissions
backupRuns.delete cloudsql.backupRuns.delete
backupRuns.get cloudsql.backupRuns.get
backupRuns.insert cloudsql.backupRuns.create
backupRuns.list cloudsql.backupRuns.list
databases.delete cloudsql.databases.delete
databases.get cloudsql.databases.get
databases.insert cloudsql.databases.create
databases.list cloudsql.databases.list
databases.patch cloudsql.databases.update, cloudsql.databases.get
databases.update cloudsql.databases.update
flags.list None
instances.clone cloudsql.instances.clone
instances.delete cloudsql.instances.delete
instances.export cloudsql.instances.export
instances.failover cloudsql.instances.failover
instances.get cloudsql.instances.get
instances.import cloudsql.instances.import
instances.insert cloudsql.instances.create
instances.list cloudsql.instances.list
instances.patch cloudsql.instances.get, cloudsql.instances.update
instances.promoteReplica cloudsql.instances.promoteReplica
instances.resetSslConfig cloudsql.instances.resetSslConfig
instances.restart cloudsql.instances.restart
instances.restoreBackup cloudsql.instances.restoreBackup, cloudsql.backupRuns.get
instances.startReplica cloudsql.instances.startReplica
instances.stopReplica cloudsql.instances.stopReplica
instances.truncateLog cloudsql.instances.truncateLog
instances.update cloudsql.instances.update
operations.get cloudsql.instances.get
operations.list cloudsql.instances.get
sslCerts.delete cloudsql.sslCerts.delete
sslCerts.get cloudsql.sslCerts.get
sslCerts.insert cloudsql.sslCerts.create
sslCerts.list cloudsql.sslCerts.list
users.delete cloudsql.users.delete
users.insert cloudsql.users.create
users.list cloudsql.users.list
users.update cloudsql.users.update

Manage Cloud SQL for MySQL IAM

You can get and set IAM policies and roles using the Google Cloud Console, the IAM methods of the API, or the Cloud SDK. For more information, see Granting, Changing, and Revoking Access.

IAM Conditions

IAM Conditions allow you to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances. For more information about IAM Conditions, see the Overview of IAM Conditions page.

In Cloud SQL, you can enforce conditional IAM access based on the following attributes:

  • Date/time attributes: Used to set temporary (expiring), scheduled, or limited-duration access to Cloud SQL resources. For example, you can allow a user to access a database instance until a specified date. You can use date/time attributes at any level of the resource hierarchy. For more information, see Configuring temporary access.

  • Resource attributes: Used to configure conditional access based on a resource name, resource type, or resource service attribute. In Cloud SQL, you can use attributes of database instances to configure conditional access. For more information, see Configuring resource-based access.

Use cases include:

  • Allowing users to connect to specific instances.
  • Allowing users to delete development and test instances, but not production instances.
  • Allowing users to perform administrative operations on certain dates or at certain times.

Allow users to connect to specific instances

Suppose you want to let a service account have permission to connect only to one specific Cloud SQL instance. You can include an IAM condition in the IAM policy binding that grants that user the permissions of a Cloud SQL role.

By default, the predefined Cloud SQL Client role (roles/cloudsql.client), which contains the cloudsql.instances.connect permission, authorizes a principal to connect to all Cloud SQL instances in a project. By introducing an IAM condition into the policy binding, you can grant permission to just the named instance.

Console

This example shows how to modify the existing IAM binding for the project to give a service account a Cloud SQL Client role for a specific instance.

This example uses the following variables:

  • PROJECT_ID: Your Google Cloud project.
  • INSTANCE_ID: The name of the instance you want to grant access to.

  1. In the Google Cloud Console, go to the IAM page.

    IAM

  2. Click Add.
  3. In the New Principals input box, enter the service account email.
  4. Click the Role dropdown list and select the Cloud SQL Client role.
  5. Click Add condition.
  6. Enter a title and description.
  7. Select the Condition Editor tab.
  8. In the Condition Builder section:
    • For Condition type - Resource - Type, select sqladmin.googleapis.com/Instance.
    • For Condition type - Resource - Name, enter projects/PROJECT_ID/instances/INSTANCE_ID
    • For Condition type - Resource - Service, select sqladmin.googleapis.com.
  9. Click Save to save the condition.
  10. Click Save to save the policy.

gcloud

This example shows how to modify the existing IAM policy binding for the project to give a specific service account the Cloud SQL Client role, but only for a specific instance.

This example uses the following variables:

  • PROJECT_ID: Your Google Cloud project.
  • INSTANCE_ID: The name of the instance you want to grant access to.
  • SERVICE_ACCOUNT_EMAIL: The complete email address of the service account whose access you want to modify.

  1. Get the existing IAM policy bindings and output it to the file bindings.json:
  2. gcloud projects get-iam-policy PROJECT_ID --format=json > bindings.json
    
  3. Add the following conditional role binding to the bindings.json file:
    {
      "role": "roles/cloudsql.client",
      "members": [
        "serviceAccount:SERVICE_ACCOUNT_EMAIL"
      ],
      "condition": {
        "expression": "resource.name == 'projects/PROJECT_ID/instances/INSTANCE_ID'
          && resource.type == 'sqladmin.googleapis.com/Instance'"
      }
    }
    
  4. Update the IAM policy with the new bindings.json file.
    gcloud projects set-iam-policy PROJECT_ID bindings.json
    

What's next