Cloud SQL roles

Predefined Cloud SQL IAM roles

Cloud SQL provides some predefined roles you can use to provide finer-grained permissions to project members.

The role you grant to a project member controls what actions the member can take. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and you can change the roles granted to a project member at any time, provided you have the permissions to do so.

The broader roles include the more narrowly defined roles. For example, the Cloud SQL Editor role includes all of the permissions of the Cloud SQL Viewer role, along with the addition permissions of the Cloud SQL Editor role.

Likewise, the Cloud SQL Admin role includes all of the permissions of the Cloud SQL Editor role, along with its additional permissions.

The basic roles (Owner, Editor, Viewer) provide permissions across Google Cloud. The roles specific to Cloud SQL provide only Cloud SQL permissions, except for the following Google Cloud permissions, which are needed for general Google Cloud usage:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.use

The following table lists the predefined roles available for Cloud SQL, along with their Cloud SQL permissions:

Role
Name
Description
Cloud SQL permissions
roles/owner
Owner
Full access and control for all Google Cloud resources; manage user access.

cloudsql.*
roles/editor
Editor
Read-write access to all Google Cloud and Cloud SQL resources (full control except for the ability to modify permissions).

All cloudsql permissions except for
cloudsql.*.getIamPolicy cloudsql.*.setIamPolicy
roles/viewer
Viewer
Read-only access to all Google Cloud resources, including Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
roles/cloudsql.admin
Cloud SQL Admin
Full control for all Cloud SQL resources.

cloudsql.*
recommender.cloudsqlInstanceDiskUsageTrendInsights.*
recommender.cloudsqlInstanceOutOfDiskRecommendations.*
recommender.cloudsqlInstancePerformanceInsights.*
recommender.cloudsqlInstancePerformanceRecommendations.*
recommender.cloudsqlInstanceSecurityInsights.*
recommender.cloudsqlInstanceSecurityRecommendations.*
recommender.cloudsqlUnderProvisionedInstanceRecommendations.*
recommender.cloudsqlInstanceOomProbabilityInsights.*
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
roles/cloudsql.editor
Cloud SQL Editor
Manage Cloud SQL resources. No ability to see or modify permissions, nor modify users or ssl Certs. No ability to import data or restore from a backup, nor clone, delete, or promote instances. No ability to start or stop replicas. No ability to delete databases, replicas, or backups.

cloudsql.instances.addServerCa
cloudsql.instances.addServerCertificate
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.listServerCertificates
cloudsql.instances.migrate
cloudsql.instances.reencrypt
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.rotateServerCertificate
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.backupRuns.create
cloudsql.backupRuns.export
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.backupRuns.update
cloudsql.schemas.view
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update
recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update
recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update
recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update
roles/cloudsql.viewer
Cloud SQL Viewer
Read-only access to all Cloud SQL resources.

cloudsql.*.export
cloudsql.*.get
cloudsql.*.list
cloudsql.instances.listServerCas
cloudsql.instances.listServerCertificates
recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

roles/cloudsql.client
Cloud SQL Client
Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Auth Proxy. Not required for accessing an instance using IP addresses.

cloudsql.instances.connect
cloudsql.instances.get
roles/cloudsql.instanceUser
Cloud SQL Instance User
Role allowing access to a Cloud SQL instance.

cloudsql.instances.get
cloudsql.instances.login
roles/cloudsql.schemaViewer
Cloud SQL Schema Viewer
Role allowing access to a Cloud SQL instance schema in Dataplex.

cloudsql.schemas.view
roles/cloudsql.studioUser
Cloud SQL Studio User
Role allowing access to Cloud SQL Studio.

cloudsql.databases.list
cloudsql.instances.executeSql
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.list

Permissions and their roles

The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its basic role.

PermissionCloud SQL rolesLegacy role
cloudsql.backupRuns.updateCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.backupRuns.createCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.backupRuns.deleteCloud SQL AdminEditor
cloudsql.backupRuns.exportCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
cloudsql.backupRuns.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.backupRuns.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.createCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.databases.deleteCloud SQL AdminEditor
cloudsql.databases.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.databases.getIamPolicyCloud SQL AdminOwner
cloudsql.databases.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Studio User
Cloud SQL Viewer
Viewer
cloudsql.databases.setIamPolicyCloud SQL AdminOwner
cloudsql.databases.updateCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.addServerCaCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.addServerCertificateCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.cloneCloud SQL AdminEditor
cloudsql.instances.connectCloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Editor
cloudsql.instances.createCloud SQL AdminEditor
cloudsql.instances.deleteCloud SQL AdminEditor
cloudsql.instances.demoteMasterCloud SQL AdminEditor
cloudsql.instances.executeSqlCloud SQL Admin
Cloud SQL Studio User
Owner
cloudsql.instances.exportCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.failoverCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.getCloud SQL Admin
Cloud SQL Client
Cloud SQL Editor
Cloud SQL Studio User
Cloud SQL Viewer
Viewer
cloudsql.instances.getIamPolicyCloud SQL AdminOwner
cloudsql.instances.importCloud SQL AdminEditor
cloudsql.instances.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.listServerCasCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.listServerCertificatesCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.instances.promoteReplicaCloud SQL AdminEditor
cloudsql.instances.resetSslConfigCloud SQL AdminEditor
cloudsql.instances.reencryptCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.restartCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.restoreBackupCloud SQL AdminEditor
cloudsql.instance.rotateServerCaCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instance.rotateServerCertificateCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.setIamPolicyCloud SQL AdminOwner
cloudsql.instances.startReplicaCloud SQL AdminEditor
cloudsql.instances.stopReplicaCloud SQL AdminEditor
cloudsql.instances.truncateLogCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.instances.updateCloud SQL Admin
Cloud SQL Editor
Editor
cloudsql.schemas.viewCloud SQL Admin
Cloud SQL Editor
Cloud SQL Schema Viewer
Viewer
cloudsql.sslCerts.createCloud SQL AdminEditor
cloudsql.sslCerts.deleteCloud SQL AdminEditor
cloudsql.sslCerts.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.sslCerts.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
Viewer
cloudsql.users.createCloud SQL AdminEditor
cloudsql.users.deleteCloud SQL AdminEditor
cloudsql.users.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Studio User
Cloud SQL Viewer
Viewer
cloudsql.users.updateCloud SQL AdminEditor
recommender.cloudsqlInstanceDiskUsageTrendInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceDiskUsageTrendInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceDiskUsageTrendInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOutOfDiskRecommendations.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstancePerformanceInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstancePerformanceInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstancePerformanceInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstancePerformanceRecommendations.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstancePerformanceRecommendations.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstancePerformanceRecommendations.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceOomProbabilityInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOomProbabilityInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceOomProbabilityInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceSecurityInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceSecurityInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceSecurityInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceSecurityRecommendations.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceSecurityRecommendations.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceSecurityRecommendations.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.updateCloud SQL Admin
Cloud SQL Editor
N/A
recommender.cloudsqlUnderProvisionedInstanceRecommendations.getCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlUnderProvisionedInstanceRecommendations.listCloud SQL Admin
Cloud SQL Editor
Cloud SQL Viewer
N/A
recommender.cloudsqlUnderProvisionedInstanceRecommendations.updateCloud SQL Admin
Cloud SQL Editor
N/A

Custom roles

If the predefined roles don't address your unique business requirements, you can define your own custom roles with permissions that you specify. To support this, IAM offers custom roles.

When you create custom roles for Cloud SQL, make sure that if you include either cloudsql.instances.list or cloudsql.instances.get, that you include them both. Otherwise, the Google Cloud console won't function correctly for Cloud SQL.