Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud SQL IAM roles and permissions. For a detailed description of Google Cloud IAM, see the IAM documentation.
Cloud SQL provides a set of predefined roles designed to help you control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the legacy basic roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Cloud SQL roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Cloud SQL. For more information about basic roles, see Basic roles.
You can set an IAM policy at any level in the resource hierarchy: the organization level, the folder level, the project level, or the resource level. Resources inherit the policies of all of their parent resources.
IAM references for Cloud SQL
- Required permissions for common tasks in the Cloud console.
- Required permissions for
- Required permissions for Cloud SQL Admin API methods.
- Predefined Cloud SQL IAM roles.
- Permissions and their roles.
- Custom roles.
About IAM Conditions
Cloud SQL also supports IAM Conditions, which can refine roles and permissions at the level on individual Cloud SQL resources, such as instances within a project. You can add a condition as a property of an IAM policy binding to specify a subset of instances that members can access.
IAM Conditions lets you grant roles based on a variety of attributes. For example, you can allow access only at certain dates and times or grant access only to Cloud SQL resources with certain names.
Learn more about Using IAM Conditions with Cloud SQL, including examples.
For more information about IAM Conditions, see the Overview of IAM Conditions page.