IAM overview Stay organized with collections Save and categorize content based on your preferences.
Identity and Access Management (IAM) lets you control user and group accessto Spanner resources at the project, Spanner instance,and Spanner database levels. For example, you can specify that auser has full control of a specific database in a specific instance in yourproject, but cannot create, modify, or delete any instances in your project.Using access control with IAM lets you grant a permission to a user or group withouthaving to modify each Spanner instance or database permissionindividually.
This document focuses on the IAMpermissions relevant toSpanner and the IAMroles that grant thosepermissions. For a detailed description of IAM and its features,see theIdentity and Access Management developer's guide. In particular, see theManaging IAM policies section.
Permissions
Permissions allow users to perform specific actions on Spannerresources. For example, thespanner.databases.read permission allows a user toread from a database using Spanner's read API, whilespanner.databases.select allows a user to execute a SQL select statement on adatabase. You don't directly give users permissions; instead, you grant thempredefined roles orcustom roles, which have one ormore permissions bundled within them.
The following tables list the IAM permissions that are associatedwith Spanner.
Instance configurations
The following permissions apply to Spanner instanceconfigurations. For more information, see the instance configuration referencesforREST andRPCAPIs.
| Instance configuration permission name | Description |
|---|---|
spanner.instanceConfigs.create | Create a custom instance configuration. |
spanner.instanceConfigs.delete | Delete a custom instance configuration. |
spanner.instanceConfigs.get | Get an instance configuration. |
spanner.instanceConfigs.list | List the set of instance configurations. |
spanner.instanceConfigs.update | Update a custom instance configuration. |
Instance configuration operations
The following permissions apply to Spanner instance configurationoperations. For more information, see the instance references forRESTandRPCAPIs.
| Instance configuration operation permission name | Description |
|---|---|
spanner.instanceConfigOperations.cancel | Cancel an instance configuration operation. |
spanner.instanceConfigOperations.delete | Delete an instance configuration operation. |
spanner.instanceConfigOperations.get | Get an instance configuration operation. |
spanner.instanceConfigOperations.list | List instance configuration operations. |
Instances
The following permissions apply to Spanner instances. For moreinformation, see the instance references forREST andRPCAPIs.
| Instance permission name | Description |
|---|---|
spanner.instances.create | Create an instance. |
spanner.instances.delete | Delete an instance. |
spanner.instances.get | Get the configuration of a specific instance. |
spanner.instances.getIamPolicy | Get an instance's IAM Policy. |
spanner.instances.list | List instances. |
spanner.instances.setIamPolicy | Set an instance's IAM Policy. |
spanner.instances.update | Update an instance. |
Instance operations
The following permissions apply to Spanner instance operations.For more information, see the instance references forREST andRPCAPIs.
| Instance operation permission name | Description |
|---|---|
spanner.instanceOperations.cancel | Cancel an instance operation. |
spanner.instanceOperations.delete | Delete an instance operation. |
spanner.instanceOperations.get | Get a specific instance operation. |
spanner.instanceOperations.list | List instance operations. |
Instance partitions
The following permissions apply to Spanner instance partitions.For more information, see the instance partition references forREST andRPCAPIs.
| Instance permission name | Description |
|---|---|
spanner.instancePartitions.create | Create an instance partition. |
spanner.instancePartitions.delete | Delete an instance partition. |
spanner.instancePartitions.get | Get the configuration of a specific instance partition. |
spanner.instancePartitions.list | List instance partitions. |
spanner.instancePartitions.update | Update an instance partition. |
Instance partition operations
The following permissions apply to Spanner instance partition operations.For more information, see the instance partition references forRESTandRPCAPIs.
| Instance partition operation permission name | Description |
|---|---|
spanner.instancePartitionOperations.cancel | Cancel an instance partition operation. |
spanner.instancePartitionOperations.delete | Delete an instance partition operation. |
spanner.instancePartitionOperations.get | Get a specific instance partition operation. |
spanner.instancePartitionOperations.list | List instance partition operations. |
Databases
The following permissions apply to Spanner databases. For moreinformation, see the database references forREST andRPCAPIs.
| Database permission name | Description |
|---|---|
spanner.databases.adapt | Lets theSpanner Adapter API interact directly with Spanner. |
spanner.databases.beginOrRollbackReadWriteTransaction | Begin or roll back aread-write transaction on a Spanner database. |
spanner.databases.beginPartitionedDmlTransaction | Execute an instance partitioned data manipulation language (DML) statement. For more information about instance partitioned queries, seeRead data in parallel. |
spanner.databases.beginReadOnlyTransaction | Begin aread-only transaction on a Spanner database. |
spanner.databases.create | Create a database. |
spanner.databases.createBackup | Create a backup from the database. Also requiresspanner.backups.create to create the backup resource. |
spanner.databases.drop | Drop a database. |
spanner.databases.get | Get a database's metadata. |
spanner.databases.getDdl | Get a database's schema. |
spanner.databases.getIamPolicy | Get a database's IAM policy. |
spanner.databases.list | List databases. |
spanner.databases.read | Read from a database using the read API. |
spanner.databases.select | Execute a SQL select statement on a database. |
spanner.databases.setIamPolicy | Set a database's IAM policy. |
spanner.databases.update | Update a database's metadata.Currently unavailable for IAM custom roles. |
spanner.databases.updateDdl | Update a database's schema. |
spanner.databases.useDataBoost | Use the compute resources ofSpanner Data Boost to process instance partitioned queries. |
spanner.databases.useRoleBasedAccess | Usefine-grained access control. |
spanner.databases.write | Write into a database. |
Database roles
The following permissions apply to Spanner database roles. Formore information, see the database references forRESTandRPCAPIs.
| Database role permission name | Description |
|---|---|
spanner.databaseRoles.list | List database roles. |
spanner.databaseRoles.use | Use a specified database role. |
Database operations
The following permissions apply to Spanner database operations.For more information, see the database references forRESTandRPCAPIs.
| Database operation permission name | Description |
|---|---|
spanner.databaseOperations.cancel | Cancel a database operation. |
spanner.databaseOperations.get | Get a specific database operation. |
spanner.databaseOperations.list | List database and restore database operations. |
Backups
The following permissions apply to Spanner backups. For moreinformation, see the backups references forREST andRPCAPIs.
| Backup permission name | Description |
|---|---|
spanner.backups.create | Create a backup. Also requiresspanner.databases.createBackup on the source database. |
spanner.backups.delete | Delete a backup. |
spanner.backups.get | Get a backup. |
spanner.backups.getIamPolicy | Get a backup's IAM policy. |
spanner.backups.list | List backups. |
spanner.backups.restoreDatabase | Restore database from a backup. Also requiresspanner.databases.create to create the restored database on the target instance. |
spanner.backups.setIamPolicy | Set a backup's IAM policy. |
spanner.backups.update | Update a backup. |
Backup operations
The following permissions apply to Spanner backup operations. Formore information, see the database references forREST andRPC APIs.
| Backup operation permission name | Description |
|---|---|
spanner.backupOperations.cancel | Cancel a backup operation. |
spanner.backupOperations.get | Get a specific backup operation. |
spanner.backupOperations.list | List backup operations. |
Backup schedules
The following permissions apply to Spanner backup schedules. Formore information, see the database references for theREST andRPC APIs.
| Backup schedule permission name | Description |
|---|---|
spanner.backupSchedules.create | Create a backup schedule. Also requiresspanner.databases.createBackup on the source database. |
spanner.backupSchedules.delete | Delete a backup schedule. |
spanner.backupSchedules.get | Get a backup schedule. |
spanner.backupSchedules.list | List backup schedules. |
spanner.backupSchedules.update | Update a backup schedule. |
Sessions
The following permissions apply to Spanner sessions. For moreinformation, see the database references forREST andRPC APIs.
Note: Sessions are an advanced concept that only apply to users of the REST APIand those who are creating their own client libraries. Learn more inSessions.| Session permission name | Description |
|---|---|
spanner.sessions.create | Create a session. |
spanner.sessions.delete | Delete a session. |
spanner.sessions.get | Get a session. |
spanner.sessions.list | List sessions. |
Predefined roles
A predefined role is a bundle of one or morepermissions. Forexample, the predefined roleroles/spanner.databaseUser contains thepermissionsspanner.databases.read andspanner.databases.write. There aretwo types of predefined roles for Spanner:
- Person roles: Granted to users or groups, which allows them to performactions on the resources in your project.
- Machine roles: Granted to service accounts, which allows machines running asthose service accounts to perform actions on the resources in your project.
The following table lists the access control with IAM predefined roles, including alist of the permissions associated with each role:
| Role | Permissions |
|---|---|
Cloud Spanner Admin( Has complete access to all Spannerresources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Admin( A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Backup Writer( This role is intended to be used by scripts that automate backup creation.A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Admin( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Reader with DataBoost( Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Database Role User( In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. Lowest-level resources where you can grant this role:
| |
Cloud Spanner Database User( A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Fine-grained Access User( Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner Restore Admin( A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply thisrole at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
|
Cloud Spanner API Service Agent( Cloud Spanner API Service Agent Warning: Do not grant service agent roles to any principals exceptservice agents. |
|
Cloud Spanner Viewer( A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with CloudSpanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
|
spanner.databaseReader, requests for aread-only transaction might occasionally fail with a permissions error. Toresolve this problem, seeManage the write-sessionsfraction.Basic roles
Basic roles are project-level roles that predate IAM. SeeBasicroles for additional details.
Although Spanner supports the following basic roles, you shoulduse one of the predefined roles shown earlier whenever possible. Basic rolesinclude broad permissions that apply to all of your Google Cloud resources; incontrast, Spanner's predefined roles include fine-grainedpermissions that apply only to Spanner.
| Basic role | Description |
|---|---|
roles/editor | Can do all that aroles/viewer can do. Can also create instances and databases and write data into a database. |
roles/owner | Can do all that aroles/editor can do. Can also modify access to databases and instances. |
roles/viewer | Can list and get the metadata of schemas and instances. Can also read and query using SQL on a database. |
Custom roles
If thepredefined roles for Spanner don't address yourbusiness requirements, you can define your own custom roles with permissionsthat you specify.
Before you create a custom role, you must identify the tasks that you need toperform. You can then identify the permissions that are required for each taskand add these permissions to the custom role.
Custom roles for service account tasks
For most tasks, it's obvious which permissions you need to add to your customrole. For example, if you want your service account to be able to create adatabase, add the permissionspanner.databases.create to your custom role.
However, when you're reading or writing data in a Spanner table,you need to add several different permissions to your custom role. The followingtable shows which permissions are required for reading and writing data.
| Service account task | Required permissions |
|---|---|
| Create a backup | spanner.backups.createspanner.databases.createBackup |
| Read data | spanner.databases.selectspanner.sessions.createspanner.sessions.delete |
| Restore a database | spanner.backups.restoreDatabasespanner.databases.create |
| Insert, update, or delete data | spanner.databases.beginOrRollbackReadWriteTransactionspanner.sessions.createspanner.sessions.deletespanner.databases.write |
Custom roles for Google Cloud console tasks
To identify the list of permissions you need for a given task in theGoogle Cloud console, you determine the workflow for that task and compile thepermissions for that workflow. For example, to view the data in a table, youwould follow these steps in the Google Cloud console:
| Step | Permissions |
|---|---|
| 1. Access the project | resourcemanager.projects.get |
| 2. View the list of instances | spanner.instances.list |
| 3. Select an instance | spanner.instances.get |
| 4. View the list of databases | spanner.databases.list |
| 5. Select a database and a table | spanner.databases.getDdl |
| 6. View data in a table | spanner.databases.select,spanner.sessions.create,spanner.sessions.delete |
In this example, you need these permissions:
resourcemanager.projects.getspanner.databases.getDdlspanner.databases.listspanner.databases.selectspanner.instances.getspanner.instances.listspanner.sessions.createspanner.sessions.delete
The following table lists the permissions required for actions in theGoogle Cloud console.
| Permissions | Action |
|---|---|
spanner.databases.setIamPolicy | Add principals on the Permissions tab of the Database details page |
spanner.instances.setIamPolicy | Add principals on the Permissions tab of the Instance page |
spanner.backups.createspanner.databases.createBackupspanner.databases.list1spanner.backupOperations.list1 | Create a backup |
spanner.backupSchedules.createspanner.databases.createBackup | Create a backup schedule |
spanner.databases.create | Create a database |
spanner.instancePartitions.listspanner.instancePartitionOperations.getspanner.instancePartitions.create | Create an instance partition |
spanner.databaseOperations.getspanner.databaseOperations.listspanner.databases.updateDdl | Create a table Update a table schema |
spanner.instanceConfigs.listspanner.instanceOperations.getspanner.instances.create | Create an instance |
spanner.backups.delete | Delete a backup |
spanner.backupSchedules.delete | Delete a backup schedule |
spanner.databases.drop | Delete a database |
spanner.instancePartitions.delete | Delete an instance partition |
spanner.instances.delete | Delete an instance |
spanner.instancePartitionOperations.getspanner.instancePartitions.update | Modify an instance partition |
spanner.instanceOperations.getspanner.instances.update | Modify an instance |
spanner.databases.beginOrRollbackReadWriteTransactionspanner.databases.selectspanner.databases.writespanner.sessions.createspanner.sessions.delete | Modify data in a table |
spanner.instanceConfigs.listspanner.instances.getspanner.backups.getspanner.backups.restoreDatabasespanner.instances.listspanner.databases.create | Restore a database from a backup |
spanner.databases.getspanner.databases.getDdl | Select a database from the database list and view the schema on the Database details page |
spanner.instances.get | Select an instance from the instance list to view the Instance Details page |
spanner.backups.update | Update a backup |
spanner.backupSchedules.update | Update a backup schedule |
spanner.databases.selectspanner.sessions.createspanner.sessions.delete | View data in the Data tab of the Database details page Create and run a query |
spanner.backups.listspanner.backups.get | View the Backup/Restore page |
monitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.timeSeries.listspanner.instances.get | View the graphs in the Monitor tab on the Instance details page or the Database details page |
spanner.backupOperations.list | View the list of backup operations |
spanner.databases.list | View the list of databases on the Instance details page |
resourcemanager.projects.getspanner.instances.list | View the list of instances on the Instances page |
spanner.databaseOperations.list | View the list of restore operations |
spanner.databases.getIamPolicy | View the list on the Permissions tab of the Database details page |
spanner.instances.getIamPolicy | View the list on the Permissions tab of the Instance page |
Spanner IAM policy management
You can get, set, and test IAM policies using the REST or RPCAPIs on Spanner instance, database, and backup resources.
Instances
| REST API | RPC API |
|---|---|
projects.instances.getIamPolicy | GetIamPolicy |
projects.instances.setIamPolicy | SetIamPolicy |
projects.instances.testIamPermissions | TestIamPermissions |
Databases
| REST API | RPC API |
|---|---|
projects.instances.databases.getIamPolicy | GetIamPolicy |
projects.instances.databases.setIamPolicy | SetIamPolicy |
projects.instances.databases.testIamPermissions | TestIamPermissions |
Backups
| REST API | RPC API |
|---|---|
projects.instances.backups.getIamPolicy | GetIamPolicy |
projects.instances.backups.setIamPolicy | SetIamPolicy |
projects.instances.backups.testIamPermissions | TestIamPermissions |
What's next
- Learn more aboutIdentity and Access Management.
- Learn how toapply IAM roles for a Spannerdatabase, instance, or Google Cloud project.
- Learn how tocontrol access to Google Cloud resources, includingSpanner, from the internet.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.