Spanner roles and permissions

This page lists the IAM roles and permissions for Spanner. To search through all roles and permissions, see the role and permission index.

Spanner roles

Role Permissions

Role	Permissions
Cloud Spanner Admin (`roles/spanner.admin`) Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can: Grant and revoke permissions to other principals for all Spanner resources in the project. Allocate and delete chargeable Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata. Lowest-level resources where you can grant this role: Instance Database	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.*` `spanner.backupOperations.cancel` `spanner.backupOperations.get` `spanner.backupOperations.list` `spanner.backupSchedules.create` `spanner.backupSchedules.delete` `spanner.backupSchedules.get` `spanner.backupSchedules.getIamPolicy` `spanner.backupSchedules.list` `spanner.backupSchedules.setIamPolicy` `spanner.backupSchedules.update` `spanner.backups.copy` `spanner.backups.create` `spanner.backups.delete` `spanner.backups.get` `spanner.backups.getIamPolicy` `spanner.backups.list` `spanner.backups.restoreDatabase` `spanner.backups.setIamPolicy` `spanner.backups.update` `spanner.databaseOperations.cancel` `spanner.databaseOperations.get` `spanner.databaseOperations.list` `spanner.databaseRoles.list` `spanner.databases.adapt` `spanner.databases.addSplitPoints` `spanner.databases.beginOrRollbackReadWriteTransaction` `spanner.databases.beginPartitionedDmlTransaction` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.changequorum` `spanner.databases.create` `spanner.databases.createBackup` `spanner.databases.drop` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.getIamPolicy` `spanner.databases.list` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.runGraphAlgorithms` `spanner.databases.select` `spanner.databases.setIamPolicy` `spanner.databases.update` `spanner.databases.updateDdl` `spanner.databases.useDataBoost` `spanner.databases.useRoleBasedAccess` `spanner.databases.write` `spanner.instanceConfigOperations.cancel` `spanner.instanceConfigOperations.delete` `spanner.instanceConfigOperations.get` `spanner.instanceConfigOperations.list` `spanner.instanceConfigs.create` `spanner.instanceConfigs.delete` `spanner.instanceConfigs.get` `spanner.instanceConfigs.list` `spanner.instanceConfigs.update` `spanner.instanceOperations.cancel` `spanner.instanceOperations.delete` `spanner.instanceOperations.get` `spanner.instanceOperations.list` `spanner.instancePartitionOperations.cancel` `spanner.instancePartitionOperations.delete` `spanner.instancePartitionOperations.get` `spanner.instancePartitionOperations.list` `spanner.instancePartitions.create` `spanner.instancePartitions.delete` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instancePartitions.update` `spanner.instances.create` `spanner.instances.createTagBinding` `spanner.instances.delete` `spanner.instances.deleteTagBinding` `spanner.instances.get` `spanner.instances.getIamPolicy` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings` `spanner.instances.setIamPolicy` `spanner.instances.update` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Spanner Editor (`roles/spanner.editor`) Editor role for spanner	`monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.backupOperations.` `spanner.backupOperations.cancel` `spanner.backupOperations.get` `spanner.backupOperations.list` `spanner.backupSchedules.create` `spanner.backupSchedules.delete` `spanner.backupSchedules.get` `spanner.backupSchedules.getIamPolicy` `spanner.backupSchedules.list` `spanner.backupSchedules.update` `spanner.backups.copy` `spanner.backups.create` `spanner.backups.delete` `spanner.backups.get` `spanner.backups.getIamPolicy` `spanner.backups.list` `spanner.backups.restoreDatabase` `spanner.backups.update` `spanner.databaseOperations.` `spanner.databaseOperations.cancel` `spanner.databaseOperations.get` `spanner.databaseOperations.list` `spanner.databaseRoles.list` `spanner.databases.adapt` `spanner.databases.addSplitPoints` `spanner.databases.beginOrRollbackReadWriteTransaction` `spanner.databases.beginPartitionedDmlTransaction` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.changequorum` `spanner.databases.create` `spanner.databases.createBackup` `spanner.databases.drop` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.getIamPolicy` `spanner.databases.list` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.runGraphAlgorithms` `spanner.databases.select` `spanner.databases.update` `spanner.databases.updateDdl` `spanner.databases.useDataBoost` `spanner.databases.useRoleBasedAccess` `spanner.databases.write` `spanner.instanceConfigOperations.` `spanner.instanceConfigOperations.cancel` `spanner.instanceConfigOperations.delete` `spanner.instanceConfigOperations.get` `spanner.instanceConfigOperations.list` `spanner.instanceConfigs.` `spanner.instanceConfigs.create` `spanner.instanceConfigs.delete` `spanner.instanceConfigs.get` `spanner.instanceConfigs.list` `spanner.instanceConfigs.update` `spanner.instanceOperations.` `spanner.instanceOperations.cancel` `spanner.instanceOperations.delete` `spanner.instanceOperations.get` `spanner.instanceOperations.list` `spanner.instancePartitionOperations.` `spanner.instancePartitionOperations.cancel` `spanner.instancePartitionOperations.delete` `spanner.instancePartitionOperations.get` `spanner.instancePartitionOperations.list` `spanner.instancePartitions.` `spanner.instancePartitions.create` `spanner.instancePartitions.delete` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instancePartitions.update` `spanner.instances.create` `spanner.instances.delete` `spanner.instances.get` `spanner.instances.getIamPolicy` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings` `spanner.instances.update` `spanner.sessions.` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Viewer (`roles/spanner.viewer`) A principal with this role can: View all Spanner instances (but cannot modify instances). View all Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the `roles/spanner.databaseUser` role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.databases.get` `spanner.databases.list` `spanner.instanceConfigs.get` `spanner.instanceConfigs.list` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instances.get` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings`
Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) A principal with this role can: Create, view, update, and delete backups. View and manage a backup's allow policy. This role cannot restore a database from a backup. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.backupOperations.*` `spanner.backupOperations.cancel` `spanner.backupOperations.get` `spanner.backupOperations.list` `spanner.backupSchedules.create` `spanner.backupSchedules.delete` `spanner.backupSchedules.get` `spanner.backupSchedules.list` `spanner.backupSchedules.update` `spanner.backups.copy` `spanner.backups.create` `spanner.backups.delete` `spanner.backups.get` `spanner.backups.getIamPolicy` `spanner.backups.list` `spanner.backups.setIamPolicy` `spanner.backups.update` `spanner.databases.createBackup` `spanner.databases.get` `spanner.databases.list` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instances.createTagBinding` `spanner.instances.deleteTagBinding` `spanner.instances.get` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings`
Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role: Instance Database	`spanner.backupOperations.get` `spanner.backupOperations.list` `spanner.backupSchedules.create` `spanner.backupSchedules.get` `spanner.backupSchedules.list` `spanner.backups.copy` `spanner.backups.create` `spanner.backups.get` `spanner.backups.list` `spanner.databases.createBackup` `spanner.databases.get` `spanner.databases.list` `spanner.instancePartitions.get` `spanner.instances.get`
Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) A principal with this role can: Get/list all Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project. Lowest-level resources where you can grant this role: Instance Database	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.databaseOperations.` `spanner.databaseOperations.cancel` `spanner.databaseOperations.get` `spanner.databaseOperations.list` `spanner.databaseRoles.list` `spanner.databases.adapt` `spanner.databases.addSplitPoints` `spanner.databases.beginOrRollbackReadWriteTransaction` `spanner.databases.beginPartitionedDmlTransaction` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.changequorum` `spanner.databases.create` `spanner.databases.drop` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.getIamPolicy` `spanner.databases.list` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.runGraphAlgorithms` `spanner.databases.select` `spanner.databases.setIamPolicy` `spanner.databases.update` `spanner.databases.updateDdl` `spanner.databases.useDataBoost` `spanner.databases.useRoleBasedAccess` `spanner.databases.write` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instances.createTagBinding` `spanner.instances.deleteTagBinding` `spanner.instances.get` `spanner.instances.getIamPolicy` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings` `spanner.sessions.` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Database Reader (`roles/spanner.databaseReader`) A principal with this role can: Read from the Spanner database. Execute SQL queries on the database. View schema for the database. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.create` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.select` `spanner.instancePartitions.get` `spanner.instances.get` `spanner.sessions.*` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.create` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.select` `spanner.databases.useDataBoost` `spanner.instancePartitions.get` `spanner.instances.get` `spanner.sessions.*` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Database Role User (`roles/spanner.databaseRoleUser`) In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. Lowest-level resources where you can grant this role: Instance Database
Cloud Spanner Database User (`roles/spanner.databaseUser`) A principal with this role can: Read from and write to the Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.create` `spanner.databaseOperations.` `spanner.databaseOperations.cancel` `spanner.databaseOperations.get` `spanner.databaseOperations.list` `spanner.databases.adapt` `spanner.databases.beginOrRollbackReadWriteTransaction` `spanner.databases.beginPartitionedDmlTransaction` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.changequorum` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.select` `spanner.databases.updateDdl` `spanner.databases.write` `spanner.instancePartitions.get` `spanner.instances.get` `spanner.sessions.` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Fine-grained Access User (`roles/spanner.fineGrainedAccessUser`) Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. Lowest-level resources where you can grant this role: Instance Database	`spanner.databaseRoles.list` `spanner.databases.useRoleBasedAccess`
Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Access to Graph Intelligence features.	`monitoring.timeSeries.create` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.get` `spanner.databases.getDdl` `spanner.databases.partitionQuery` `spanner.databases.partitionRead` `spanner.databases.read` `spanner.databases.runGraphAlgorithms` `spanner.databases.select` `spanner.databases.useDataBoost` `spanner.instancePartitions.get` `spanner.instances.get` `spanner.sessions.*` `spanner.sessions.create` `spanner.sessions.delete` `spanner.sessions.get` `spanner.sessions.list`
Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role: Instance Database	`monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `spanner.backups.get` `spanner.backups.list` `spanner.backups.restoreDatabase` `spanner.databaseOperations.*` `spanner.databaseOperations.cancel` `spanner.databaseOperations.get` `spanner.databaseOperations.list` `spanner.databases.create` `spanner.databases.get` `spanner.databases.list` `spanner.instancePartitions.get` `spanner.instancePartitions.list` `spanner.instances.createTagBinding` `spanner.instances.deleteTagBinding` `spanner.instances.get` `spanner.instances.list` `spanner.instances.listEffectiveTags` `spanner.instances.listTagBindings`

Cloud Spanner Admin

(roles/spanner.admin)

Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:

Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.

Lowest-level resources where you can grant this role:

Instance
Database

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.*

spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.getIamPolicy
spanner.backupSchedules.list
spanner.backupSchedules.setIamPolicy
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.restoreDatabase
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databaseRoles.list
spanner.databases.adapt
spanner.databases.addSplitPoints
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginPartitionedDmlTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.changequorum
spanner.databases.create
spanner.databases.createBackup
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.runGraphAlgorithms
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.useDataBoost
spanner.databases.useRoleBasedAccess
spanner.databases.write
spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instanceConfigs.update
spanner.instanceOperations.cancel
spanner.instanceOperations.delete
spanner.instanceOperations.get
spanner.instanceOperations.list
spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list
spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update
spanner.instances.create
spanner.instances.createTagBinding
spanner.instances.delete
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
spanner.instances.setIamPolicy
spanner.instances.update
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Spanner Editor

(roles/spanner.editor)

Editor role for spanner

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.delete

spanner.backupSchedules.get

spanner.backupSchedules.getIamPolicy

spanner.backupSchedules.list

spanner.backupSchedules.update

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.restoreDatabase

spanner.backups.update

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.adapt

spanner.databases.addSplitPoints

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.create

spanner.databases.createBackup

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.runGraphAlgorithms

spanner.databases.select

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instanceConfigOperations.*

spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list

spanner.instanceConfigs.*

spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instanceConfigs.update

spanner.instanceOperations.*

spanner.instanceOperations.cancel
spanner.instanceOperations.delete
spanner.instanceOperations.get
spanner.instanceOperations.list

spanner.instancePartitionOperations.*

spanner.instancePartitionOperations.cancel
spanner.instancePartitionOperations.delete
spanner.instancePartitionOperations.get
spanner.instancePartitionOperations.list

spanner.instancePartitions.*

spanner.instancePartitions.create
spanner.instancePartitions.delete
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instancePartitions.update

spanner.instances.create

spanner.instances.delete

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.instances.update

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Viewer

(roles/spanner.viewer)

A principal with this role can:

View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases.

This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databases.get

spanner.databases.list

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner Backup Admin

(roles/spanner.backupAdmin)

A principal with this role can:

Create, view, update, and delete backups.
View and manage a backup's allow policy.

This role cannot restore a database from a backup.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.delete

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backupSchedules.update

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner Backup Writer

(roles/spanner.backupWriter)

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

Lowest-level resources where you can grant this role:

Instance
Database

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backups.copy

spanner.backups.create

spanner.backups.get

spanner.backups.list

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instances.get

Cloud Spanner Database Admin

(roles/spanner.databaseAdmin)

A principal with this role can:

Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.

Lowest-level resources where you can grant this role:

Instance
Database

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.adapt

spanner.databases.addSplitPoints

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.runGraphAlgorithms

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Reader

(roles/spanner.databaseReader)

A principal with this role can:

Read from the Spanner database.
Execute SQL queries on the database.
View schema for the database.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner.databases.beginReadOnlyTransaction

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Reader with DataBoost

(roles/spanner.databaseReaderWithDataBoost)

Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner.databases.beginReadOnlyTransaction

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.useDataBoost

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Role User

(roles/spanner.databaseRoleUser)

In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.

Lowest-level resources where you can grant this role:

Instance
Database

Cloud Spanner Database User

(roles/spanner.databaseUser)

A principal with this role can:

Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databases.adapt

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.write

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Fine-grained Access User

(roles/spanner.fineGrainedAccessUser)

Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.

Lowest-level resources where you can grant this role:

Instance
Database

spanner.databaseRoles.list

spanner.databases.useRoleBasedAccess

Cloud Spanner Database Graph Intelligence features user

(roles/spanner.graphIntelligenceUser)

Access to Graph Intelligence features.

monitoring.timeSeries.create

spanner.databases.beginReadOnlyTransaction

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.runGraphAlgorithms

spanner.databases.select

spanner.databases.useDataBoost

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Restore Admin

(roles/spanner.restoreAdmin)

A principal with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backups.get

spanner.backups.list

spanner.backups.restoreDatabase

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databases.create

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Spanner API Service Agent Warning: Do not grant service agent roles to any principals except service agents.	`aiplatform.endpoints.get` `aiplatform.endpoints.list` `aiplatform.endpoints.predict` `aiplatform.models.get` `aiplatform.models.list` `compute.disks.create` `compute.disks.createTagBinding` `compute.disks.use` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.get` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.networks.create` `compute.networks.use` `compute.networks.useExternalIp` `compute.subnetworks.create` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `logging.logEntries.create` `run.jobs.run` `run.routes.invoke` `spanner.databases.beginOrRollbackReadWriteTransaction` `spanner.databases.beginReadOnlyTransaction` `spanner.databases.partitionQuery` `spanner.databases.select` `spanner.databases.useDataBoost` `spanner.databases.write` `spanner.sessions.create` `storage.buckets.create` `storage.buckets.get` `storage.buckets.list` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list`

Cloud Spanner API Service Agent

(roles/spanner.serviceAgent)

Cloud Spanner API Service Agent

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.models.get

aiplatform.models.list

compute.disks.create

compute.disks.createTagBinding

compute.disks.use

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.networks.create

compute.networks.use

compute.networks.useExternalIp

compute.subnetworks.create

compute.subnetworks.use

compute.subnetworks.useExternalIp

logging.logEntries.create

run.jobs.run

run.routes.invoke

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.partitionQuery

spanner.databases.select

spanner.databases.useDataBoost

spanner.databases.write

spanner.sessions.create

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Spanner permissions

Permission	Included in roles
`spanner.backupOperations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backupOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backupOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backupSchedules.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backupSchedules.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backupSchedules.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backupSchedules.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`spanner.backupSchedules.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backupSchedules.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Spanner Admin (`roles/spanner.admin`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.backupSchedules.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backups.copy`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backups.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.backups.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backups.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`)
`spanner.backups.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backups.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`)
`spanner.backups.restoreDatabase`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`)
`spanner.backups.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Spanner Admin (`roles/spanner.admin`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.backups.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`)
`spanner.databaseOperations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databaseOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databaseOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databaseRoles.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Fine-grained Access User (`roles/spanner.fineGrainedAccessUser`)
`spanner.databases.adapt`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.addSplitPoints`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`)
`spanner.databases.beginOrRollbackReadWriteTransaction`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.databases.beginPartitionedDmlTransaction`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.beginReadOnlyTransaction`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.databases.changequorum`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.databases.createBackup`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`)
`spanner.databases.drop`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.databases.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.getDdl`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.databases.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`)
`spanner.databases.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.partitionQuery`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.databases.partitionRead`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.databases.read`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.databases.runGraphAlgorithms`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`)
`spanner.databases.select`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.databases.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Spanner Admin (`roles/spanner.admin`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`)
`spanner.databases.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`)
`spanner.databases.updateDdl`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.databases.useDataBoost`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.databases.useRoleBasedAccess`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Fine-grained Access User (`roles/spanner.fineGrainedAccessUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.databases.write`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.instanceConfigOperations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceConfigOperations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceConfigOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`)
`spanner.instanceConfigOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`spanner.instanceConfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceConfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instanceConfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instanceConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceOperations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceOperations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instanceOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.instanceOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`spanner.instancePartitionOperations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instancePartitionOperations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instancePartitionOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`)
`spanner.instancePartitionOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`spanner.instancePartitions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instancePartitions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instancePartitions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instancePartitions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instancePartitions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instances.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.instances.createTagBinding`	Owner (`roles/owner`) Tag User (`roles/resourcemanager.tagUser`) Cloud Spanner Admin (`roles/spanner.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`)
`spanner.instances.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.instances.deleteTagBinding`	Owner (`roles/owner`) Tag User (`roles/resourcemanager.tagUser`) Cloud Spanner Admin (`roles/spanner.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`)
`spanner.instances.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instances.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`)
`spanner.instances.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instances.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instances.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Cloud Spanner Viewer (`roles/spanner.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)
`spanner.instances.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Cloud Spanner Admin (`roles/spanner.admin`) Databases Admin (`roles/iam.databasesAdmin`)
`spanner.instances.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`spanner.sessions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`)
`spanner.sessions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.sessions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`)
`spanner.sessions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Spanner Admin (`roles/spanner.admin`) Spanner Editor (`roles/spanner.editor`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) Cloud Spanner Database Reader (`roles/spanner.databaseReader`) Cloud Spanner Database Reader with DataBoost (`roles/spanner.databaseReaderWithDataBoost`) Cloud Spanner Database User (`roles/spanner.databaseUser`) Cloud Spanner Database Graph Intelligence features user (`roles/spanner.graphIntelligenceUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`)

Spanner roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Spanner roles

Cloud Spanner Admin

Spanner Editor

Cloud Spanner Viewer

Cloud Spanner Backup Admin

Cloud Spanner Backup Writer

Cloud Spanner Database Admin

Cloud Spanner Database Reader

Cloud Spanner Database Reader with DataBoost

Cloud Spanner Database Role User

Cloud Spanner Database User

Cloud Spanner Fine-grained Access User

Cloud Spanner Database Graph Intelligence features user

Cloud Spanner Restore Admin

Service agent roles

Cloud Spanner API Service Agent

Spanner permissions

spanner.backupOperations.cancel

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.delete

spanner.backupSchedules.get

spanner.backupSchedules.getIamPolicy

spanner.backupSchedules.list

spanner.backupSchedules.setIamPolicy

spanner.backupSchedules.update

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.restoreDatabase

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databaseOperations.cancel

spanner.databaseOperations.get

spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.adapt

spanner.databases.addSplitPoints

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.create

spanner.databases.createBackup

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.runGraphAlgorithms

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instanceConfigOperations.cancel

spanner.instanceConfigOperations.delete

spanner.instanceConfigOperations.get

spanner.instanceConfigOperations.list

spanner.instanceConfigs.create

spanner.instanceConfigs.delete

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instanceConfigs.update

spanner.instanceOperations.cancel

spanner.instanceOperations.delete

spanner.instanceOperations.get

spanner.instanceOperations.list

spanner.instancePartitionOperations.cancel

spanner.instancePartitionOperations.delete

Spanner roles and permissions

`spanner.backupOperations.cancel`

`spanner.backupOperations.get`

`spanner.backupOperations.list`

`spanner.backupSchedules.create`

`spanner.backupSchedules.delete`

`spanner.backupSchedules.get`

`spanner.backupSchedules.getIamPolicy`

`spanner.backupSchedules.list`

`spanner.backupSchedules.setIamPolicy`

`spanner.backupSchedules.update`

`spanner.backups.copy`

`spanner.backups.create`

`spanner.backups.delete`

`spanner.backups.get`

`spanner.backups.getIamPolicy`

`spanner.backups.list`

`spanner.backups.restoreDatabase`

`spanner.backups.setIamPolicy`

`spanner.backups.update`

`spanner.databaseOperations.cancel`

`spanner.databaseOperations.get`

`spanner.databaseOperations.list`

`spanner.databaseRoles.list`

`spanner.databases.adapt`

`spanner.databases.addSplitPoints`

`spanner.databases.beginOrRollbackReadWriteTransaction`

`spanner.databases.beginPartitionedDmlTransaction`

`spanner.databases.beginReadOnlyTransaction`

`spanner.databases.changequorum`

`spanner.databases.create`

`spanner.databases.createBackup`

`spanner.databases.drop`

`spanner.databases.get`

`spanner.databases.getDdl`

`spanner.databases.getIamPolicy`

`spanner.databases.list`

`spanner.databases.partitionQuery`

`spanner.databases.partitionRead`

`spanner.databases.read`

`spanner.databases.runGraphAlgorithms`

`spanner.databases.select`

`spanner.databases.setIamPolicy`

`spanner.databases.update`

`spanner.databases.updateDdl`

`spanner.databases.useDataBoost`

`spanner.databases.useRoleBasedAccess`

`spanner.databases.write`

`spanner.instanceConfigOperations.cancel`

`spanner.instanceConfigOperations.delete`

`spanner.instanceConfigOperations.get`

`spanner.instanceConfigOperations.list`

`spanner.instanceConfigs.create`

`spanner.instanceConfigs.delete`

`spanner.instanceConfigs.get`

`spanner.instanceConfigs.list`

`spanner.instanceConfigs.update`

`spanner.instanceOperations.cancel`

`spanner.instanceOperations.delete`

`spanner.instanceOperations.get`

`spanner.instanceOperations.list`

`spanner.instancePartitionOperations.cancel`

`spanner.instancePartitionOperations.delete`

`spanner.instancePartitionOperations.get`

`spanner.instancePartitionOperations.list`

`spanner.instancePartitions.create`

`spanner.instancePartitions.delete`

`spanner.instancePartitions.get`

`spanner.instancePartitions.list`

`spanner.instancePartitions.update`

`spanner.instances.create`

`spanner.instances.createTagBinding`

`spanner.instances.delete`

`spanner.instances.deleteTagBinding`

`spanner.instances.get`

`spanner.instances.getIamPolicy`

`spanner.instances.list`

`spanner.instances.listEffectiveTags`

`spanner.instances.listTagBindings`

`spanner.instances.setIamPolicy`