Project Access Control

This page describes how you can control Cloud SQL project access and permissions using Identity and Access Management (IAM).

Overview

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Cloud SQL IAM roles and permissions. For a detailed description of GCP IAM, see the IAM documentation.

Cloud SQL provides a set of predefined roles designed to help you easily control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need. In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also still available to you, although they do not provide the same fine-grained control as the Cloud SQL roles. In particular, the primitive roles provide access to resources across Google Cloud Platform, rather than just for Cloud SQL. For more information about primitive roles, see Primitive roles.

Permissions and roles

This section summarizes the permissions and roles Cloud SQL supports.

Predefined roles

Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to project members. The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts.

You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role. Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.

The primitive roles (Owner, Editor, Viewer) provide permissions across Google Cloud Platform. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following GCP permissions, which are needed for general GCP usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get

The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:

Role Name Cloud SQL permissions Description
roles/owner Owner cloudsql.* Full access and control for all Google Cloud Platform resources; manage user access
roles/writer Editor All cloudsql permissions except for
cloudsql.*.getIamPolicy &
cloudsql.*.setIamPolicy
Read-write access to all Google Cloud Platform and Cloud SQL resources (full control except for the ability to modify permissions)
roles/reader Viewer cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
Read-only access to all Google Cloud Platform resources, including Cloud SQL resources
roles/cloudsql.admin Cloud SQL Admin cloudsql.* Full control for all Cloud SQL resources.
roles/cloudsql.editor Cloud SQL Editor cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCa
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
Manage specific instances. No ability to see or modify permissions, nor modify users or sslCerts. No ability to import data or restore from a backup, nor clone, delete, or promote instances. No ability to start or stop replicas. No ability to delete databases, replicas, or backups.
roles/cloudsql.viewer Cloud SQL Viewer cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
cloudsql.instances.listServerCa
Read-only access to all Cloud SQL resources.
roles/cloudsql.client Cloud SQL Client cloudsql.instances.connect
cloudsql.instances.get
Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Proxy. Not required for accessing an instance using IP addresses.

Permissions and their roles

The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its legacy (primitive) role.

Permission Cloud SQL roles Legacy role
cloudsql.backupRuns.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.backupRuns.delete Cloud SQL Admin Editor
cloudsql.backupRuns.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.backupRuns.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.databases.delete Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.databases.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.getIamPolicy
Cloud SQL Admin Owner
cloudsql.databases.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.setIamPolicy
Cloud SQL Admin Owner
cloudsql.databases.update Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instance.addServerCa
Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.clone Cloud SQL Admin Editor
cloudsql.instances.connect Cloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Editor
cloudsql.instances.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.delete Cloud SQL Admin Editor
cloudsql.instances.demoteMaster Cloud SQL Admin Editor
cloudsql.instances.export Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.failover Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.get Cloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.getIamPolicy
Cloud SQL Admin Owner
cloudsql.instances.import Cloud SQL Admin Editor
cloudsql.instances.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instance.listServerCa
Cloud SQL Viewer Viewer
cloudsql.instances.promoteReplica Cloud SQL Admin Editor
cloudsql.instances.resetSslConfig Cloud SQL Admin Editor
cloudsql.instances.restart Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.restoreBackup Cloud SQL Admin Editor
cloudsql.instance.rotateServerCa
Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.setIamPolicy
Cloud SQL Admin Owner
cloudsql.instances.startReplica Cloud SQL Admin Editor
cloudsql.instances.stopReplica Cloud SQL Admin Editor
cloudsql.instances.truncateLog Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.update Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.sslCerts.create Cloud SQL Admin Editor
cloudsql.sslCerts.delete Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.sslCerts.get Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.sslCerts.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.users.create Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.users.delete Cloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.users.list Cloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.users.update Cloud SQL Admin Editor

Custom roles

If the predefined roles do not address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.

When you create custom roles for Cloud SQL, make sure that if you include either cloudsql.instances.list or cloudsql.instances.get, that you include them both. Otherwise, the GCP Console will not function correctly for Cloud SQL.

Required permissions for common tasks in the GCP Console

Task Required additional permissions
Displaying the instance listing page cloudsql.instances.list
resourcemanager.projects.get
Creating an instance cloudsql.instances.create
cloudsql.instances.get
cloudsql.instances.list
resourcemanager.projects.get
Connecting to an instance from the Cloud Shell cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
resourcemanager.projects.get
Creating a user cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.create
cloudsql.users.list
resourcemanager.projects.get
Viewing instance information cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.list
monitoring.timeSeries.list
resourcemanager.projects.get

Required permissions for gcloud sql commands

Command Required permissions
gcloud sql backups create cloudsql.backupRuns.create
gcloud sql backups delete cloudsql.backupRuns.delete
gcloud sql backups describe cloudsql.backupRuns.get
gcloud sql backups list cloudsql.backupRuns.list
gcloud sql backups restore cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql connect cloudsql.instances.get
cloudsql.instances.update
gcloud sql databases create cloudsql.databases.create
gcloud sql databases delete cloudsql.databases.delete
gcloud sql databases describe cloudsql.databases.get
gcloud sql databases list cloudsql.databases.list
gcloud sql databases patch cloudsql.databases.get
cloudsql.databases.update
gcloud sql export cloudsql.instances.export
gcloud sql flags list None
gcloud sql import cloudsql.instances.import
gcloud sql instances clone cloudsql.instances.clone
gcloud sql instances create cloudsql.instances.create
gcloud sql instances delete cloudsql.instances.delete
gcloud sql instances describe cloudsql.instances.get
gcloud sql instances export cloudsql.instances.export
gcloud sql instances failover cloudsql.instances.failover
gcloud sql instances import cloudsql.instances.import
gcloud sql instances list cloudsql.instances.list
gcloud sql instances patch cloudsql.instances.get
cloudsql.instances.update
gcloud sql instances promote-replica cloudsql.instances.promoteReplica
gcloud sql instances reset-ssl-config cloudsql.instances.resetSslConfig
gcloud sql instances restart cloudsql.instances.restart
gcloud sql instances restore-backup cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql operations describe cloudsql.instances.get
gcloud sql operations list cloudsql.instances.get
gcloud sql operations wait cloudsql.instances.get
gcloud sql ssl client-certs create cloudsql.sslCerts.create
gcloud sql ssl client-certs delete cloudsql.sslCerts.delete
gcloud sql ssl client-certs describe cloudsql.sslCerts.list
gcloud sql ssl client-certs list cloudsql.sslCerts.list
gcloud sql tiers list None
gcloud sql users create cloudsql.users.create
gcloud sql users delete cloudsql.users.delete
gcloud sql users list cloudsql.users.list
gcloud sql users set-password cloudsql.users.update

Required permissions for API methods

The following table lists the permissions that the caller must have to call each method in the Cloud SQL API, or to perform tasks using GCP tools that use the API (such as the Google Cloud Platform Console or the gcloud command line tool).

All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.

Method Required permissions
backupRuns.delete cloudsql.backupRuns.delete
backupRuns.get cloudsql.backupRuns.get
backupRuns.insert cloudsql.backupRuns.create
backupRuns.list cloudsql.backupRuns.list
databases.delete cloudsql.databases.delete
databases.get cloudsql.databases.get
databases.insert cloudsql.databases.create
databases.list cloudsql.databases.list
databases.patch cloudsql.databases.update, cloudsql.databases.get
databases.update cloudsql.databases.update
flags.list None
instances.clone cloudsql.instances.clone
instances.delete cloudsql.instances.delete
instances.export cloudsql.instances.get
instances.failover cloudsql.instances.failover
instances.get cloudsql.instances.export
instances.import cloudsql.instances.import
instances.insert cloudsql.instances.create
instances.list cloudsql.instances.list
instances.patch cloudsql.instances.get, cloudsql.instances.update
instances.promoteReplica cloudsql.instances.promoteReplica
instances.resetSslConfig cloudsql.instances.resetSslConfig
instances.restart cloudsql.instances.restart
instances.restoreBackup cloudsql.instances.restoreBackup, cloudsql.backupRuns.get
instances.startReplica cloudsql.instances.startReplica
instances.stopReplica cloudsql.instances.stopReplica
instances.truncateLog cloudsql.instances.truncateLog
instances.update cloudsql.instances.update
operations.get cloudsql.instances.get
operations.list cloudsql.instances.get
sslCerts.delete cloudsql.sslCerts.delete
sslCerts.get cloudsql.sslCerts.get
sslCerts.insert cloudsql.sslCerts.create
sslCerts.list cloudsql.sslCerts.list
users.delete cloudsql.users.delete
users.insert cloudsql.users.create
users.list cloudsql.users.list
users.update cloudsql.users.update

Managing Cloud SQL for PostgreSQL IAM

You can get and set IAM policies and roles using the Google Cloud Platform Console, the IAM methods of the API, or the Cloud SDK. For more information, see Granting, Changing, and Revoking Access to Project Members.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud SQL for PostgreSQL