Identity and Access Management (IAM) lets you control user and group access to Spanner resources at the project, Spanner instance, and Spanner database levels. For example, you can specify that a user has full control of a specific database in a specific instance in your project, but cannot create, modify, or delete any instances in your project. Using access control with IAM lets you grant a permission to a user or group without having to modify each Spanner instance or database permission individually.
This document focuses on the IAM permissions relevant to Spanner and the IAM roles that grant those permissions. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see the Managing IAM policies section.
Permissions
Permissions allow users to perform specific actions on Spanner
resources. For example, the spanner.databases.read permission allows a user to
read from a database using Spanner's read API, while
spanner.databases.select allows a user to execute a SQL select statement on a
database. You don't directly give users permissions; instead, you grant them
predefined roles or custom roles, which have one or
more permissions bundled within them.
The following tables list the IAM permissions that are associated with Spanner.
Instance configurations
The following permissions apply to Spanner instance configurations. For more information, see the instance configuration references for REST and RPC APIs.
| Instance configuration permission name | Description |
|---|---|
spanner.instanceConfigs.create |
Create a custom instance configuration. |
spanner.instanceConfigs.delete |
Delete a custom instance configuration. |
spanner.instanceConfigs.get |
Get an instance configuration. |
spanner.instanceConfigs.list |
List the set of instance configurations. |
spanner.instanceConfigs.update |
Update a custom instance configuration. |
Instance configuration operations
The following permissions apply to Spanner instance configuration operations. For more information, see the instance references for REST and RPC APIs.
| Instance configuration operation permission name | Description |
|---|---|
spanner.instanceConfigOperations.cancel |
Cancel an instance configuration operation. |
spanner.instanceConfigOperations.delete |
Delete an instance configuration operation. |
spanner.instanceConfigOperations.get |
Get an instance configuration operation. |
spanner.instanceConfigOperations.list |
List instance configuration operations. |
Instances
The following permissions apply to Spanner instances. For more information, see the instance references for REST and RPC APIs.
| Instance permission name | Description |
|---|---|
spanner.instances.create |
Create an instance. |
spanner.instances.delete |
Delete an instance. |
spanner.instances.get |
Get the configuration of a specific instance. |
spanner.instances.getIamPolicy |
Get an instance's IAM Policy. |
spanner.instances.list |
List instances. |
spanner.instances.setIamPolicy |
Set an instance's IAM Policy. |
spanner.instances.update |
Update an instance. |
Instance operations
The following permissions apply to Spanner instance operations. For more information, see the instance references for REST and RPC APIs.
| Instance operation permission name | Description |
|---|---|
spanner.instanceOperations.cancel |
Cancel an instance operation. |
spanner.instanceOperations.delete |
Delete an instance operation. |
spanner.instanceOperations.get |
Get a specific instance operation. |
spanner.instanceOperations.list |
List instance operations. |
Instance partitions
The following permissions apply to Spanner instance partitions. For more information, see the instance partition references for REST and RPC APIs.
| Instance permission name | Description |
|---|---|
spanner.instancePartitions.create |
Create an instance partition. |
spanner.instancePartitions.delete |
Delete an instance partition. |
spanner.instancePartitions.get |
Get the configuration of a specific instance partition. |
spanner.instancePartitions.list |
List instance partitions. |
spanner.instancePartitions.update |
Update an instance partition. |
Instance partition operations
The following permissions apply to Spanner instance partition operations. For more information, see the instance partition references for REST and RPC APIs.
| Instance partition operation permission name | Description |
|---|---|
spanner.instancePartitionOperations.cancel |
Cancel an instance partition operation. |
spanner.instancePartitionOperations.delete |
Delete an instance partition operation. |
spanner.instancePartitionOperations.get |
Get a specific instance partition operation. |
spanner.instancePartitionOperations.list |
List instance partition operations. |
Databases
The following permissions apply to Spanner databases. For more information, see the database references for REST and RPC APIs.
| Database permission name | Description |
|---|---|
spanner.databases.adapt |
Lets the Spanner Adapter API interact directly with Spanner. |
spanner.databases.beginOrRollbackReadWriteTransaction |
Begin or roll back a read-write transaction on a Spanner database. |
spanner.databases.beginPartitionedDmlTransaction |
Execute an instance partitioned data manipulation language (DML) statement. For more information about instance partitioned queries, see Read data in parallel. |
spanner.databases.beginReadOnlyTransaction |
Begin a read-only transaction on a Spanner database. |
spanner.databases.create |
Create a database. |
spanner.databases.createBackup |
Create a backup from the database. Also requires spanner.backups.create to create the backup resource. |
spanner.databases.drop |
Drop a database. |
spanner.databases.get |
Get a database's metadata. |
spanner.databases.getDdl |
Get a database's schema. |
spanner.databases.getIamPolicy |
Get a database's IAM policy. |
spanner.databases.list |
List databases. |
spanner.databases.read |
Read from a database using the read API. |
spanner.databases.select |
Execute a SQL select statement on a database. |
spanner.databases.setIamPolicy |
Set a database's IAM policy. |
spanner.databases.update |
Update a database's metadata. |
spanner.databases.updateDdl |
Update a database's schema. |
spanner.databases.useDataBoost |
Use the compute resources of Spanner Data Boost to process instance partitioned queries. |
spanner.databases.useRoleBasedAccess |
Use fine-grained access control. |
spanner.databases.write |
Write into a database. |
Database roles
The following permissions apply to Spanner database roles. For more information, see the database references for REST and RPC APIs.
| Database role permission name | Description |
|---|---|
spanner.databaseRoles.list |
List database roles. |
spanner.databaseRoles.use |
Use a specified database role. |
Database operations
The following permissions apply to Spanner database operations. For more information, see the database references for REST and RPC APIs.
| Database operation permission name | Description |
|---|---|
spanner.databaseOperations.cancel |
Cancel a database operation. |
spanner.databaseOperations.get |
Get a specific database operation. |
spanner.databaseOperations.list |
List database and restore database operations. |
Backups
The following permissions apply to Spanner backups. For more information, see the backups references for REST and RPC APIs.
| Backup permission name | Description |
|---|---|
spanner.backups.create |
Create a backup. Also requires spanner.databases.createBackup on the source database. |
spanner.backups.delete |
Delete a backup. |
spanner.backups.get |
Get a backup. |
spanner.backups.getIamPolicy |
Get a backup's IAM policy. |
spanner.backups.list |
List backups. |
spanner.backups.restoreDatabase |
Restore database from a backup. Also requires spanner.databases.create to create the restored database on the target instance. |
spanner.backups.setIamPolicy |
Set a backup's IAM policy. |
spanner.backups.update |
Update a backup. |
Backup operations
The following permissions apply to Spanner backup operations. For more information, see the database references for REST and RPC APIs.
| Backup operation permission name | Description |
|---|---|
spanner.backupOperations.cancel |
Cancel a backup operation. |
spanner.backupOperations.get |
Get a specific backup operation. |
spanner.backupOperations.list |
List backup operations. |
Backup schedules
The following permissions apply to Spanner backup schedules. For more information, see the database references for the REST and RPC APIs.
| Backup schedule permission name | Description |
|---|---|
spanner.backupSchedules.create |
Create a backup schedule. Also requires spanner.databases.createBackup on the source database. |
spanner.backupSchedules.delete |
Delete a backup schedule. |
spanner.backupSchedules.get |
Get a backup schedule. |
spanner.backupSchedules.list |
List backup schedules. |
spanner.backupSchedules.update |
Update a backup schedule. |
Sessions
The following permissions apply to Spanner sessions. For more information, see the database references for REST and RPC APIs.
| Session permission name | Description |
|---|---|
spanner.sessions.create |
Create a session. |
spanner.sessions.delete |
Delete a session. |
spanner.sessions.get |
Get a session. |
spanner.sessions.list |
List sessions. |
Predefined roles
A predefined role is a bundle of one or more permissions. For
example, the predefined role roles/spanner.databaseUser contains the
permissions spanner.databases.read and spanner.databases.write. There are
two types of predefined roles for Spanner:
- Person roles: Granted to users or groups, which allows them to perform actions on the resources in your project.
- Machine roles: Granted to service accounts, which allows machines running as those service accounts to perform actions on the resources in your project.
The following table lists the access control with IAM predefined roles, including a list of the permissions associated with each role:
| Role | Permissions |
|---|---|
Cloud Spanner Admin( Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Admin( A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Writer( This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Admin( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader with DataBoost( Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Role User( In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database User( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Fine-grained Access User( Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Restore Admin( A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner API Service Agent( Cloud Spanner API Service Agent |
|
Cloud Spanner Viewer( A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
|
Basic roles
Basic roles are project-level roles that predate IAM. See Basic roles for additional details.
Although Spanner supports the following basic roles, you should use one of the predefined roles shown earlier whenever possible. Basic roles include broad permissions that apply to all of your Google Cloud resources; in contrast, Spanner's predefined roles include fine-grained permissions that apply only to Spanner.
| Basic role | Description |
|---|---|
roles/editor |
Can do all that a roles/viewer can do. Can also create instances and databases and write data into a database. |
roles/owner |
Can do all that a roles/editor can do. Can also modify access to databases and instances. |
roles/viewer |
Can list and get the metadata of schemas and instances. Can also read and query using SQL on a database. |
Custom roles
If the predefined roles for Spanner don't address your business requirements, you can define your own custom roles with permissions that you specify.
Before you create a custom role, you must identify the tasks that you need to perform. You can then identify the permissions that are required for each task and add these permissions to the custom role.
Custom roles for service account tasks
For most tasks, it's obvious which permissions you need to add to your custom
role. For example, if you want your service account to be able to create a
database, add the permission spanner.databases.create to your custom role.
However, when you're reading or writing data in a Spanner table, you need to add several different permissions to your custom role. The following table shows which permissions are required for reading and writing data.
| Service account task | Required permissions |
|---|---|
| Create a backup | spanner.backups.createspanner.databases.createBackup |
| Read data | spanner.databases.selectspanner.sessions.createspanner.sessions.delete |
| Restore a database | spanner.backups.restoreDatabasespanner.databases.create |
| Insert, update, or delete data | spanner.databases.beginOrRollbackReadWriteTransactionspanner.sessions.createspanner.sessions.deletespanner.databases.write |
Custom roles for Google Cloud console tasks
To identify the list of permissions you need for a given task in the Google Cloud console, you determine the workflow for that task and compile the permissions for that workflow. For example, to view the data in a table, you would follow these steps in the Google Cloud console:
| Step | Permissions |
|---|---|
| 1. Access the project | resourcemanager.projects.get |
| 2. View the list of instances | spanner.instances.list |
| 3. Select an instance | spanner.instances.get |
| 4. View the list of databases | spanner.databases.list |
| 5. Select a database and a table | spanner.databases.getDdl |
| 6. View data in a table | spanner.databases.select, spanner.sessions.create, spanner.sessions.delete |
In this example, you need these permissions:
resourcemanager.projects.getspanner.databases.getDdlspanner.databases.listspanner.databases.selectspanner.instances.getspanner.instances.listspanner.sessions.createspanner.sessions.delete
The following table lists the permissions required for actions in the Google Cloud console.
| Permissions | Action |
|---|---|
spanner.databases.setIamPolicy |
Add principals on the Permissions tab of the Database details page |
spanner.instances.setIamPolicy |
Add principals on the Permissions tab of the Instance page |
spanner.backups.createspanner.databases.createBackupspanner.databases.list1spanner.backupOperations.list1 |
Create a backup |
spanner.backupSchedules.createspanner.databases.createBackup |
Create a backup schedule |
spanner.databases.create |
Create a database |
spanner.instancePartitions.listspanner.instancePartitionOperations.getspanner.instancePartitions.create |
Create an instance partition |
spanner.databaseOperations.getspanner.databaseOperations.listspanner.databases.updateDdl |
Create a table Update a table schema |
spanner.instanceConfigs.listspanner.instanceOperations.getspanner.instances.create |
Create an instance |
spanner.backups.delete |
Delete a backup |
spanner.backupSchedules.delete |
Delete a backup schedule |
spanner.databases.drop |
Delete a database |
spanner.instancePartitions.delete |
Delete an instance partition |
spanner.instances.delete |
Delete an instance |
spanner.instancePartitionOperations.getspanner.instancePartitions.update |
Modify an instance partition |
spanner.instanceOperations.getspanner.instances.update |
Modify an instance |
spanner.databases.beginOrRollbackReadWriteTransactionspanner.databases.selectspanner.databases.writespanner.sessions.createspanner.sessions.delete |
Modify data in a table |
spanner.instanceConfigs.listspanner.instances.getspanner.backups.getspanner.backups.restoreDatabasespanner.instances.listspanner.databases.create |
Restore a database from a backup |
spanner.databases.getspanner.databases.getDdl |
Select a database from the database list and view the schema on the Database details page |
spanner.instances.get |
Select an instance from the instance list to view the Instance Details page |
spanner.backups.update |
Update a backup |
spanner.backupSchedules.update |
Update a backup schedule |
spanner.databases.selectspanner.sessions.createspanner.sessions.delete |
View data in the Data tab of the Database details page Create and run a query |
spanner.backups.listspanner.backups.get |
View the Backup/Restore page |
monitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.timeSeries.listspanner.instances.get |
View the graphs in the Monitor tab on the Instance details page or the Database details page |
spanner.backupOperations.list |
View the list of backup operations |
spanner.databases.list |
View the list of databases on the Instance details page |
resourcemanager.projects.getspanner.instances.list |
View the list of instances on the Instances page |
spanner.databaseOperations.list |
View the list of restore operations |
spanner.databases.getIamPolicy |
View the list on the Permissions tab of the Database details page |
spanner.instances.getIamPolicy |
View the list on the Permissions tab of the Instance page |
Spanner IAM policy management
You can get, set, and test IAM policies using the REST or RPC APIs on Spanner instance, database, and backup resources.
Instances
| REST API | RPC API |
|---|---|
projects.instances.getIamPolicy |
GetIamPolicy |
projects.instances.setIamPolicy |
SetIamPolicy |
projects.instances.testIamPermissions |
TestIamPermissions |
Databases
| REST API | RPC API |
|---|---|
projects.instances.databases.getIamPolicy |
GetIamPolicy |
projects.instances.databases.setIamPolicy |
SetIamPolicy |
projects.instances.databases.testIamPermissions |
TestIamPermissions |
Backups
| REST API | RPC API |
|---|---|
projects.instances.backups.getIamPolicy |
GetIamPolicy |
projects.instances.backups.setIamPolicy |
SetIamPolicy |
projects.instances.backups.testIamPermissions |
TestIamPermissions |
What's next
- Learn more about Identity and Access Management.
- Learn how to apply IAM roles for a Spanner database, instance, or Google Cloud project.
- Learn how to control access to Google Cloud resources, including Spanner, from the internet.