View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).
For example, you can combine this role with the roles/spanner.databaseUser role to
grant a user with access to a specific database, but only view access to other instances and
databases.
This role is recommended at the Google Cloud project level for users interacting with Cloud
Spanner resources in the Google Cloud console.
Lowest-level resources where you can grant this role:
Instance
Database
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.get
spanner.databases.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Cloud Spanner Backup Admin
(roles/spanner.backupAdmin)
A principal with this role can:
Create, view, update, and delete backups.
View and manage a backup's allow policy.
This role cannot restore a database from a backup.
Lowest-level resources where you can grant this role:
Instance
Database
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Cloud Spanner Backup Writer
(roles/spanner.backupWriter)
This role is intended to be used by scripts that automate backup creation.
A principal with this role can create backups, but cannot update or delete them.
Lowest-level resources where you can grant this role:
Instance
Database
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backups.copy
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instances.get
Cloud Spanner Database Admin
(roles/spanner.databaseAdmin)
A principal with this role can:
Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.
Lowest-level resources where you can grant this role:
Lowest-level resources where you can grant this role:
Instance
Database
dataplex.locations.*
dataplex.locations.get
dataplex.locations.list
dataplex.operations.get
dataplex.operations.list
monitoring.timeSeries.create
spanner.databases.beginReadOnlyTransaction
spanner.databases.get
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list
Cloud Spanner Database Reader with DataBoost
(roles/spanner.databaseReaderWithDataBoost)
Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.
Lowest-level resources where you can grant this role:
Instance
Database
dataplex.locations.*
dataplex.locations.get
dataplex.locations.list
dataplex.operations.get
dataplex.operations.list
monitoring.timeSeries.create
spanner.databases.beginReadOnlyTransaction
spanner.databases.get
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.useDataBoost
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list
Cloud Spanner Database Role User
(roles/spanner.databaseRoleUser)
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.
Lowest-level resources where you can grant this role:
Instance
Database
Cloud Spanner Database User
(roles/spanner.databaseUser)
A principal with this role can:
Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.
Lowest-level resources where you can grant this role:
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.
Lowest-level resources where you can grant this role:
Instance
Database
spanner.databaseRoles.list
spanner.databases.useRoleBasedAccess
Cloud Spanner Database Graph Intelligence features user
(roles/spanner.graphIntelligenceUser)
Access to Graph Intelligence features.
dataplex.locations.*
dataplex.locations.get
dataplex.locations.list
dataplex.operations.get
dataplex.operations.list
monitoring.timeSeries.create
spanner.databases.beginReadOnlyTransaction
spanner.databases.get
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.runGraphAlgorithms
spanner.databases.select
spanner.databases.useDataBoost
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list
Cloud Spanner Restore Admin
(roles/spanner.restoreAdmin)
A principal with this role can restore databases from backups.
If you need to restore a backup to a different instance, apply this
role at the project level or to both instances. This role cannot create backups.
Lowest-level resources where you can grant this role:
Instance
Database
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner.backups.restoreDatabase
spanner.databaseOperations.*
spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instancePartitions.list
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Service agent roles
Service agent roles should only be granted to service agents.
