Spanner roles and permissions
This page lists the IAM roles and permissions for Spanner. Tosearch through all roles and permissions, see therole andpermission index.
Spanner roles
| Role | Permissions |
|---|---|
Cloud Spanner Admin( Has complete access to all Spannerresources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Admin( A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Writer( This role is intended to be used by scripts that automate backup creation.A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Admin( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader with DataBoost( Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Role User( In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. Lowest-level resources where you can grant this role:
| |
Cloud Spanner Database User( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Fine-grained Access User( Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Restore Admin( A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply thisrole at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner API Service Agent( Cloud Spanner API Service Agent Warning: Do not grant service agent roles to any principals exceptservice agents. |
|
Cloud Spanner Viewer( A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with CloudSpanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
|
Spanner permissions
| Permission | Included in roles |
|---|---|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Databases Admin ( Security Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Restore Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Restore Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Restore Admin ( |
| Owner ( Databases Admin ( Security Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Fine-grained Access User ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Databases Admin ( Security Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader with DataBoost ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Fine-grained Access User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( DLP Organization Data Profiles Driver ( DLP Project Data Profiles Driver ( Databases Admin ( Tag User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( DLP Organization Data Profiles Driver ( DLP Project Data Profiles Driver ( Databases Admin ( Tag User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( |
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Backup Writer ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( |
| Owner ( Editor ( Viewer ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Site Reliability Engineer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( DLP Organization Data Profiles Driver ( DLP Project Data Profiles Driver ( Databases Admin ( Security Auditor ( Site Reliability Engineer ( Support User ( Tag User ( Tag Viewer ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( DLP Organization Data Profiles Driver ( DLP Project Data Profiles Driver ( Databases Admin ( Security Auditor ( Site Reliability Engineer ( Support User ( Tag User ( Tag Viewer ( Cloud Spanner Admin ( Cloud Spanner Backup Admin ( Cloud Spanner Database Admin ( Cloud Spanner Restore Admin ( Cloud Spanner Viewer ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Databases Admin ( Security Admin ( Cloud Spanner Admin ( |
| Owner ( Editor ( Databases Admin ( Cloud Spanner Admin ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
| Owner ( Editor ( Viewer ( Data Scientist ( Databases Admin ( Security Admin ( Security Auditor ( Security Reviewer ( Support User ( Cloud Spanner Admin ( Cloud Spanner Database Admin ( Cloud Spanner Database Reader ( Cloud Spanner Database Reader with DataBoost ( Cloud Spanner Database User ( Service agent roles Warning: Don't grant service agent roles to any principals exceptservice agents.
|
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.