Predefined Cloud SQL IAM roles
Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to project members.
The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.
The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role.
Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.
The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:
resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.use
The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:
| Role Name |
Description Cloud SQL permissions |
|---|---|
roles/ownerOwner |
Full access and control for all Google Cloud resources; manage user
access. cloudsql.* |
roles/editorEditor |
Read-write access to all Google Cloud and Cloud SQL resources (full
control except for the ability to modify permissions). All cloudsql permissions except for cloudsql.*.getIamPolicy
cloudsql.*.setIamPolicy |
roles/viewerViewer |
Read-only access to all Google Cloud resources, including Cloud SQL
resources.cloudsql.*.exportcloudsql.*.getcloudsql.*.list |
roles/cloudsql.adminCloud SQL Admin |
Full control for all Cloud SQL resources.cloudsql.*recommender.cloudsqlInstanceDiskUsageTrendInsights.*recommender.cloudsqlInstanceOutOfDiskRecommendations.*recommender.cloudsqlInstancePerformanceInsights.*recommender.cloudsqlInstancePerformanceRecommendations.*recommender.cloudsqlInstanceSecurityInsights.*recommender.cloudsqlInstanceSecurityRecommendations.*recommender.cloudsqlUnderProvisionedInstanceRecommendations.*recommender.cloudsqlInstanceOomProbabilityInsights.*recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
|
roles/cloudsql.editorCloud SQL Editor |
Manage Cloud SQL resources. No ability to see or modify permissions,
nor modify users or ssl Certs. No ability to import data or restore from a
backup, nor clone, delete, or promote instances. No ability to start or stop
replicas. No ability to delete databases, replicas, or backups.cloudsql.instances.addServerCacloudsql.instances.addServerCertificatecloudsql.instances.connectcloudsql.instances.exportcloudsql.instances.failovercloudsql.instances.getcloudsql.instances.listcloudsql.instances.listServerCascloudsql.instances.listServerCertificatescloudsql.instances.migratecloudsql.instances.reencryptcloudsql.instances.restartcloudsql.instances.rotateServerCacloudsql.instances.rotateServerCertificatecloudsql.instances.truncateLogcloudsql.instances.updatecloudsql.databases.createcloudsql.databases.getcloudsql.databases.listcloudsql.databases.updatecloudsql.backupRuns.createcloudsql.backupRuns.getcloudsql.backupRuns.listcloudsql.schemas.viewcloudsql.sslCerts.getcloudsql.sslCerts.listcloudsql.users.listrecommender.cloudsqlInstanceDiskUsageTrendInsights.getrecommender.cloudsqlInstanceDiskUsageTrendInsights.listrecommender.cloudsqlInstanceDiskUsageTrendInsights.updaterecommender.cloudsqlInstanceOutOfDiskRecommendations.getrecommender.cloudsqlInstanceOutOfDiskRecommendations.listrecommender.cloudsqlInstanceOutOfDiskRecommendations.update
recommender.cloudsqlInstancePerformanceInsights.getrecommender.cloudsqlInstancePerformanceInsights.listrecommender.cloudsqlInstancePerformanceInsights.updaterecommender.cloudsqlInstancePerformanceRecommendations.getrecommender.cloudsqlInstancePerformanceRecommendations.listrecommender.cloudsqlInstancePerformanceRecommendations.updaterecommender.cloudsqlInstanceSecurityInsights.getrecommender.cloudsqlInstanceSecurityInsights.listrecommender.cloudsqlInstanceSecurityInsights.updaterecommender.cloudsqlInstanceSecurityRecommendations.getrecommender.cloudsqlInstanceSecurityRecommendations.listrecommender.cloudsqlInstanceSecurityRecommendations.updaterecommender.cloudsqlUnderProvisionedInstanceRecommendations.getrecommender.cloudsqlUnderProvisionedInstanceRecommendations.listrecommender.cloudsqlUnderProvisionedInstanceRecommendations.updaterecommender.cloudsqlInstanceOomProbabilityInsights.getrecommender.cloudsqlInstanceOomProbabilityInsights.listrecommender.cloudsqlInstanceOomProbabilityInsights.updaterecommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.getrecommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.listrecommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.updaterecommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.getrecommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.listrecommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update
|
roles/cloudsql.viewerCloud SQL Viewer |
Read-only access to all Cloud SQL resources.cloudsql.*.exportcloudsql.*.getcloudsql.*.listcloudsql.instances.listServerCascloudsql.instances.listServerCertificatesrecommender.cloudsqlInstanceOutOfDiskRecommendations.getrecommender.cloudsqlInstanceOutOfDiskRecommendations.listrecommender.cloudsqlInstanceDiskUsageTrendInsights.getrecommender.cloudsqlInstanceDiskUsageTrendInsights.listrecommender.cloudsqlInstancePerformanceInsights.getrecommender.cloudsqlInstancePerformanceInsights.listrecommender.cloudsqlInstancePerformanceRecommendations.getrecommender.cloudsqlInstancePerformanceRecommendations.listrecommender.cloudsqlInstanceSecurityInsights.getrecommender.cloudsqlInstanceSecurityInsights.listrecommender.cloudsqlInstanceSecurityRecommendations.getrecommender.cloudsqlInstanceSecurityRecommendations.listrecommender.cloudsqlUnderProvisionedInstanceRecommendations.getrecommender.cloudsqlUnderProvisionedInstanceRecommendations.listrecommender.cloudsqlInstanceOomProbabilityInsights.getrecommender.cloudsqlInstanceOomProbabilityInsights.listrecommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.getrecommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.listrecommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.getrecommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
|
roles/cloudsql.clientCloud SQL Client |
Connectivity access to Cloud SQL instances from App Engine
and the Cloud SQL Auth Proxy. Not required for accessing an instance using IP
addresses.cloudsql.instances.connectcloudsql.instances.get
|
roles/cloudsql.instanceUserCloud SQL Instance User |
Role allowing access to a Cloud SQL instance.cloudsql.instances.getcloudsql.instances.login
|
roles/cloudsql.schemaViewerCloud SQL Schema Viewer |
Role allowing access to a Cloud SQL instance schema in Dataplex.cloudsql.schemas.view
|
roles/cloudsql.studioUserCloud SQL Studio User |
Role allowing access to Cloud SQL Studio.cloudsql.databases.listcloudsql.instances.executeSqlcloudsql.instances.getcloudsql.instances.logincloudsql.users.list
|
Permissions and their roles
The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its basic role.
| Permission | Cloud SQL roles | Legacy role |
|---|---|---|
cloudsql.backupRuns.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.backupRuns.delete |
Cloud SQL Admin | Editor |
cloudsql.backupRuns.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.backupRuns.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.databases.delete |
Cloud SQL Admin | Editor |
cloudsql.databases.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.getIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.databases.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Studio User Cloud SQL Viewer |
Viewer |
cloudsql.databases.setIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.databases.update |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.addServerCa |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.addServerCertificate |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.clone |
Cloud SQL Admin | Editor |
cloudsql.instances.connect |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor |
Editor |
cloudsql.instances.create |
Cloud SQL Admin | Editor |
cloudsql.instances.delete |
Cloud SQL Admin | Editor |
cloudsql.instances.demoteMaster |
Cloud SQL Admin | Editor |
cloudsql.instances.executeSql |
Cloud SQL Admin Cloud SQL Studio User |
Owner |
cloudsql.instances.export |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.failover |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.get |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor Cloud SQL Studio User Cloud SQL Viewer |
Viewer |
cloudsql.instances.getIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.instances.import |
Cloud SQL Admin | Editor |
cloudsql.instances.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.listServerCas |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.listServerCertificates |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.promoteReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.resetSslConfig |
Cloud SQL Admin | Editor |
cloudsql.instances.reencrypt |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.restart |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.restoreBackup |
Cloud SQL Admin | Editor |
cloudsql.instance.rotateServerCa |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instance.rotateServerCertificate |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.setIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.instances.startReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.stopReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.truncateLog |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.update |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.schemas.view |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Schema Viewer |
Viewer |
cloudsql.sslCerts.create |
Cloud SQL Admin | Editor |
cloudsql.sslCerts.delete |
Cloud SQL Admin | Editor |
cloudsql.sslCerts.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.sslCerts.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.users.create |
Cloud SQL Admin | Editor |
cloudsql.users.delete |
Cloud SQL Admin | Editor |
cloudsql.users.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Studio User Cloud SQL Viewer |
Viewer |
cloudsql.users.update |
Cloud SQL Admin | Editor |
recommender.cloudsqlInstanceDiskUsageTrendInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceDiskUsageTrendInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceDiskUsageTrendInsights.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceOutOfDiskRecommendations.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceOutOfDiskRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceOutOfDiskRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstancePerformanceInsights.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstancePerformanceInsights.list
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstancePerformanceInsights.update
|
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstancePerformanceRecommendations.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstancePerformanceRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstancePerformanceRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceOomProbabilityInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceOomProbabilityInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceOomProbabilityInsights.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceSecurityInsights.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceSecurityInsights.list
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceSecurityInsights.update
|
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceSecurityRecommendations.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceSecurityRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceSecurityRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
N/A |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
N/A |
Custom roles
If the predefined roles don't address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.
When you create custom roles for Cloud SQL,
make sure that if you include either cloudsql.instances.list
or cloudsql.instances.get, that you include them both. Otherwise,
the Google Cloud console won't function correctly for Cloud SQL.