Cloud SQL roles

Predefined Cloud SQL IAM roles

Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to project members.

The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role.

Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.use

The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:

Role
Name
Description
Cloud SQL permissions
roles/owner
Owner
Full access and control for all Google Cloud resources; manage user access.

cloudsql.*
roles/editor
Editor
Read-write access to all Google Cloud and Cloud SQL resources (full control except for the ability to modify permissions).

All cloudsql permissions except for
cloudsql.*.getIamPolicy cloudsql.*.setIamPolicy
roles/viewer
Viewer
Read-only access to all Google Cloud resources, including Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
roles/cloudsql.admin
Cloud SQL Admin
Full control for all Cloud SQL resources.

cloudsql.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
roles/cloudsql.editor
Cloud SQL Editor
Manage Cloud SQL resources. No ability to see or modify permissions, nor modify users or ssl Certs. No ability to import data or restore from a backup, nor clone, delete, or promote instances. No ability to start or stop replicas. No ability to delete databases, replicas, or backups.

cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update
roles/cloudsql.viewer
Cloud SQL Viewer
Read-only access to all Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
cloudsql.instances.listServerCa
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
roles/cloudsql.client
Cloud SQL Client
Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Auth proxy. Not required for accessing an instance using IP addresses.

cloudsql.instances.connect
cloudsql.instances.get
roles/cloudsql.instanceUser
Cloud SQL Instance User
Role allowing access to a Cloud SQL instance.

cloudsql.instances.get
cloudsql.instances.login

Permissions and their roles

The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its basic role.

Permission Cloud SQL roles Legacy role
cloudsql.backupRuns.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.backupRuns.delete Cloud SQL Admin Editor
cloudsql.backupRuns.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.backupRuns.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.databases.delete Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.databases.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.getIamPolicy Cloud SQL Admin Owner
cloudsql.databases.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.setIamPolicy Cloud SQL Admin Owner
cloudsql.databases.update Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instance.addServerCa Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.clone Cloud SQL Admin Editor
cloudsql.instances.connect Cloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Editor
cloudsql.instances.create Cloud SQL Admin Editor
cloudsql.instances.delete Cloud SQL Admin Editor
cloudsql.instances.demoteMaster Cloud SQL Admin Editor
cloudsql.instances.export Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.failover Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.get Cloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.getIamPolicy Cloud SQL Admin Owner
cloudsql.instances.import Cloud SQL Admin Editor
cloudsql.instances.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.listServerCa Cloud SQL Viewer Viewer
cloudsql.instances.promoteReplica Cloud SQL Admin Editor
cloudsql.instances.resetSslConfig Cloud SQL Admin Editor
cloudsql.instances.restart Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.restoreBackup Cloud SQL Admin Editor
cloudsql.instance.rotateServerCa Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.setIamPolicy Cloud SQL Admin Owner
cloudsql.instances.startReplica Cloud SQL Admin Editor
cloudsql.instances.stopReplica Cloud SQL Admin Editor
cloudsql.instances.truncateLog Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.update Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instanceUser Cloud SQL Instance User N/A
cloudsql.sslCerts.create Cloud SQL Admin Editor
cloudsql.sslCerts.delete Cloud SQL Admin Editor
cloudsql.sslCerts.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.sslCerts.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.users.create Cloud SQL Admin Editor
cloudsql.users.delete Cloud SQL Admin Editor
cloudsql.users.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.users.update Cloud SQL Admin Editor
recommender.cloudsqlInstanceDiskUsageTrendInsights.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceDiskUsageTrendInsights.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceDiskUsageTrendInsights.update Cloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.update Cloud SQL Admin
Cloud SQL Editor
N/A

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.

When you create custom roles for Cloud SQL, make sure that if you include either cloudsql.instances.list or cloudsql.instances.get, that you include them both. Otherwise, the Google Cloud console will not function correctly for Cloud SQL.