IAM overview

Identity and Access Management (IAM) lets you control user and group accessto Spanner resources at the project, Spanner instance,and Spanner database levels. For example, you can specify that auser has full control of a specific database in a specific instance in yourproject, but cannot create, modify, or delete any instances in your project.Using access control with IAM lets you grant a permission to a user or group withouthaving to modify each Spanner instance or database permissionindividually.

This document focuses on the IAMpermissions relevant toSpanner and the IAMroles that grant thosepermissions. For a detailed description of IAM and its features,see theIdentity and Access Management developer's guide. In particular, see theManaging IAM policies section.

Permissions

Permissions allow users to perform specific actions on Spannerresources. For example, thespanner.databases.read permission allows a user toread from a database using Spanner's read API, whilespanner.databases.select allows a user to execute a SQL select statement on adatabase. You don't directly give users permissions; instead, you grant thempredefined roles orcustom roles, which have one ormore permissions bundled within them.

The following tables list the IAM permissions that are associatedwith Spanner.

Instance configurations

The following permissions apply to Spanner instanceconfigurations. For more information, see the instance configuration referencesforREST andRPCAPIs.

Instance configuration permission nameDescription
spanner.instanceConfigs.createCreate a custom instance configuration.
spanner.instanceConfigs.deleteDelete a custom instance configuration.
spanner.instanceConfigs.getGet an instance configuration.
spanner.instanceConfigs.listList the set of instance configurations.
spanner.instanceConfigs.updateUpdate a custom instance configuration.

Instance configuration operations

The following permissions apply to Spanner instance configurationoperations. For more information, see the instance references forRESTandRPCAPIs.

Instance configuration operation permission nameDescription
spanner.instanceConfigOperations.cancelCancel an instance configuration operation.
spanner.instanceConfigOperations.deleteDelete an instance configuration operation.
spanner.instanceConfigOperations.getGet an instance configuration operation.
spanner.instanceConfigOperations.listList instance configuration operations.

Instances

The following permissions apply to Spanner instances. For moreinformation, see the instance references forREST andRPCAPIs.

Instance permission nameDescription
spanner.instances.createCreate an instance.
spanner.instances.deleteDelete an instance.
spanner.instances.getGet the configuration of a specific instance.
spanner.instances.getIamPolicyGet an instance's IAM Policy.
spanner.instances.listList instances.
spanner.instances.setIamPolicySet an instance's IAM Policy.
spanner.instances.updateUpdate an instance.

Instance operations

The following permissions apply to Spanner instance operations.For more information, see the instance references forREST andRPCAPIs.

Instance operation permission nameDescription
spanner.instanceOperations.cancelCancel an instance operation.
spanner.instanceOperations.deleteDelete an instance operation.
spanner.instanceOperations.getGet a specific instance operation.
spanner.instanceOperations.listList instance operations.

Instance partitions

The following permissions apply to Spanner instance partitions.For more information, see the instance partition references forREST andRPCAPIs.

Instance permission nameDescription
spanner.instancePartitions.createCreate an instance partition.
spanner.instancePartitions.deleteDelete an instance partition.
spanner.instancePartitions.getGet the configuration of a specific instance partition.
spanner.instancePartitions.listList instance partitions.
spanner.instancePartitions.updateUpdate an instance partition.

Instance partition operations

The following permissions apply to Spanner instance partition operations.For more information, see the instance partition references forRESTandRPCAPIs.

Instance partition operation permission nameDescription
spanner.instancePartitionOperations.cancelCancel an instance partition operation.
spanner.instancePartitionOperations.deleteDelete an instance partition operation.
spanner.instancePartitionOperations.getGet a specific instance partition operation.
spanner.instancePartitionOperations.listList instance partition operations.

Databases

The following permissions apply to Spanner databases. For moreinformation, see the database references forREST andRPCAPIs.

Database permission nameDescription
spanner.databases.adaptLets theSpanner Adapter API interact directly with Spanner.
spanner.databases.beginOrRollbackReadWriteTransactionBegin or roll back aread-write transaction on a Spanner database.
spanner.databases.beginPartitionedDmlTransactionExecute an instance partitioned data manipulation language (DML) statement. For more information about instance partitioned queries, seeRead data in parallel.
spanner.databases.beginReadOnlyTransactionBegin aread-only transaction on a Spanner database.
spanner.databases.createCreate a database.
spanner.databases.createBackupCreate a backup from the database. Also requiresspanner.backups.create to create the backup resource.
spanner.databases.dropDrop a database.
spanner.databases.getGet a database's metadata.
spanner.databases.getDdlGet a database's schema.
spanner.databases.getIamPolicyGet a database's IAM policy.
spanner.databases.listList databases.
spanner.databases.readRead from a database using the read API.
spanner.databases.selectExecute a SQL select statement on a database.
spanner.databases.setIamPolicySet a database's IAM policy.
spanner.databases.updateUpdate a database's metadata.Currently unavailable for IAM custom roles.
spanner.databases.updateDdlUpdate a database's schema.
spanner.databases.useDataBoostUse the compute resources ofSpanner Data Boost to process instance partitioned queries.
spanner.databases.useRoleBasedAccessUsefine-grained access control.
spanner.databases.writeWrite into a database.

Database roles

The following permissions apply to Spanner database roles. Formore information, see the database references forRESTandRPCAPIs.

Database role permission nameDescription
spanner.databaseRoles.listList database roles.
spanner.databaseRoles.useUse a specified database role.

Database operations

The following permissions apply to Spanner database operations.For more information, see the database references forRESTandRPCAPIs.

Database operation permission nameDescription
spanner.databaseOperations.cancelCancel a database operation.
spanner.databaseOperations.getGet a specific database operation.
spanner.databaseOperations.listList database and restore database operations.

Backups

The following permissions apply to Spanner backups. For moreinformation, see the backups references forREST andRPCAPIs.

Backup permission nameDescription
spanner.backups.createCreate a backup. Also requiresspanner.databases.createBackup on the source database.
spanner.backups.deleteDelete a backup.
spanner.backups.getGet a backup.
spanner.backups.getIamPolicyGet a backup's IAM policy.
spanner.backups.listList backups.
spanner.backups.restoreDatabaseRestore database from a backup. Also requiresspanner.databases.create to create the restored database on the target instance.
spanner.backups.setIamPolicySet a backup's IAM policy.
spanner.backups.updateUpdate a backup.

Backup operations

The following permissions apply to Spanner backup operations. Formore information, see the database references forREST andRPC APIs.

Backup operation permission nameDescription
spanner.backupOperations.cancelCancel a backup operation.
spanner.backupOperations.getGet a specific backup operation.
spanner.backupOperations.listList backup operations.

Backup schedules

The following permissions apply to Spanner backup schedules. Formore information, see the database references for theREST andRPC APIs.

Backup schedule permission nameDescription
spanner.backupSchedules.createCreate a backup schedule. Also requiresspanner.databases.createBackup on the source database.
spanner.backupSchedules.deleteDelete a backup schedule.
spanner.backupSchedules.getGet a backup schedule.
spanner.backupSchedules.listList backup schedules.
spanner.backupSchedules.updateUpdate a backup schedule.

Sessions

The following permissions apply to Spanner sessions. For moreinformation, see the database references forREST andRPC APIs.

Note: Sessions are an advanced concept that only apply to users of the REST APIand those who are creating their own client libraries. Learn more inSessions.
Session permission nameDescription
spanner.sessions.createCreate a session.
spanner.sessions.deleteDelete a session.
spanner.sessions.getGet a session.
spanner.sessions.listList sessions.

Predefined roles

A predefined role is a bundle of one or morepermissions. Forexample, the predefined roleroles/spanner.databaseUser contains thepermissionsspanner.databases.read andspanner.databases.write. There aretwo types of predefined roles for Spanner:

  • Person roles: Granted to users or groups, which allows them to performactions on the resources in your project.
  • Machine roles: Granted to service accounts, which allows machines running asthose service accounts to perform actions on the resources in your project.
Note: To avoid providing machines with unnecessarily broad permissions, don'tgrant person roles to service accounts.

The following table lists the access control with IAM predefined roles, including alist of the permissions associated with each role:

RolePermissions

Cloud Spanner Admin

(roles/spanner.admin)

Has complete access to all Spannerresources in a Google Cloud project. A principal with this role can:

  • Grant and revoke permissions to other principals for all Spanner resources in the project.
  • Allocate and delete chargeable Spanner resources.
  • Issue get/list/modify operations on Cloud Spanner resources.
  • Read from and write to all Cloud Spanner databases in the project.
  • Fetch project metadata.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.*

  • spanner.backupOperations.cancel
  • spanner.backupOperations.get
  • spanner.backupOperations.list
  • spanner.backupSchedules.create
  • spanner.backupSchedules.delete
  • spanner.backupSchedules.get
  • spanner.backupSchedules.getIamPolicy
  • spanner.backupSchedules.list
  • spanner.backupSchedules.setIamPolicy
  • spanner.backupSchedules.update
  • spanner.backups.copy
  • spanner.backups.create
  • spanner.backups.delete
  • spanner.backups.get
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.backups.restoreDatabase
  • spanner.backups.setIamPolicy
  • spanner.backups.update
  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list
  • spanner.databaseRoles.list
  • spanner.databases.adapt
  • spanner.databases.addSplitPoints
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.changequorum
  • spanner.databases.create
  • spanner.databases.createBackup
  • spanner.databases.drop
  • spanner.databases.get
  • spanner.databases.getDdl
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.setIamPolicy
  • spanner.databases.update
  • spanner.databases.updateDdl
  • spanner.databases.useDataBoost
  • spanner.databases.useRoleBasedAccess
  • spanner.databases.write
  • spanner.instanceConfigOperations.cancel
  • spanner.instanceConfigOperations.delete
  • spanner.instanceConfigOperations.get
  • spanner.instanceConfigOperations.list
  • spanner.instanceConfigs.create
  • spanner.instanceConfigs.delete
  • spanner.instanceConfigs.get
  • spanner.instanceConfigs.list
  • spanner.instanceConfigs.update
  • spanner.instanceOperations.cancel
  • spanner.instanceOperations.delete
  • spanner.instanceOperations.get
  • spanner.instanceOperations.list
  • spanner.instancePartitionOperations.cancel
  • spanner.instancePartitionOperations.delete
  • spanner.instancePartitionOperations.get
  • spanner.instancePartitionOperations.list
  • spanner.instancePartitions.create
  • spanner.instancePartitions.delete
  • spanner.instancePartitions.get
  • spanner.instancePartitions.list
  • spanner.instancePartitions.update
  • spanner.instances.create
  • spanner.instances.createTagBinding
  • spanner.instances.delete
  • spanner.instances.deleteTagBinding
  • spanner.instances.get
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.instances.listEffectiveTags
  • spanner.instances.listTagBindings
  • spanner.instances.setIamPolicy
  • spanner.instances.update
  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.sessions.list

Cloud Spanner Backup Admin

(roles/spanner.backupAdmin)

A principal with this role can:

  • Create, view, update, and delete backups.
  • View and manage a backup's allow policy.

This role cannot restore a database from a backup.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

  • spanner.backupOperations.cancel
  • spanner.backupOperations.get
  • spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.delete

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backupSchedules.update

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner Backup Writer

(roles/spanner.backupWriter)

This role is intended to be used by scripts that automate backup creation.A principal with this role can create backups, but cannot update or delete them.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backups.copy

spanner.backups.create

spanner.backups.get

spanner.backups.list

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instances.get

Cloud Spanner Database Admin

(roles/spanner.databaseAdmin)

A principal with this role can:

  • Get/list all Spanner instances in the project.
  • Create/list/drop databases in an instance.
  • Grant/revoke access to databases in the project.
  • Read from and write to all Cloud Spanner databases in the project.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databaseOperations.*

  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.adapt

spanner.databases.addSplitPoints

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.sessions.*

  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.sessions.list

Cloud Spanner Database Reader

(roles/spanner.databaseReader)

A principal with this role can:

  • Read from the Spanner database.
  • Execute SQL queries on the database.
  • View schema for the database.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.create

spanner.databases.beginReadOnlyTransaction

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.sessions.list

Cloud Spanner Database Reader with DataBoost

(roles/spanner.databaseReaderWithDataBoost)

Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.create

spanner.databases.beginReadOnlyTransaction

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.useDataBoost

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.sessions.list

Cloud Spanner Database Role User

(roles/spanner.databaseRoleUser)

In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

Cloud Spanner Database User

(roles/spanner.databaseUser)

A principal with this role can:

  • Read from and write to the Spanner database.
  • Execute SQL queries on the database, including DML and Partitioned DML.
  • View and update schema for the database.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.create

spanner.databaseOperations.*

  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list

spanner.databases.adapt

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.get

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.write

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.sessions.list

Cloud Spanner Fine-grained Access User

(roles/spanner.fineGrainedAccessUser)

Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

spanner.databaseRoles.list

spanner.databases.useRoleBasedAccess

Cloud Spanner Restore Admin

(roles/spanner.restoreAdmin)

A principal with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply thisrole at the project level or to both instances. This role cannot create backups.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backups.get

spanner.backups.list

spanner.backups.restoreDatabase

spanner.databaseOperations.*

  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list

spanner.databases.create

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner API Service Agent

(roles/spanner.serviceAgent)

Cloud Spanner API Service Agent

Warning: Do not grant service agent roles to any principals exceptservice agents.

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.models.get

aiplatform.models.list

compute.disks.create

compute.disks.createTagBinding

compute.disks.use

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.networks.create

compute.networks.use

compute.networks.useExternalIp

compute.subnetworks.create

compute.subnetworks.use

compute.subnetworks.useExternalIp

logging.logEntries.create

run.jobs.run

run.routes.invoke

spanner.databases.beginReadOnlyTransaction

spanner.databases.partitionQuery

spanner.databases.select

spanner.databases.useDataBoost

spanner.sessions.create

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Cloud Spanner Viewer

(roles/spanner.viewer)

A principal with this role can:

  • View all Spanner instances (but cannot modify instances).
  • View all Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with theroles/spanner.databaseUser role togrant a user with access to a specific database, but only view access to other instances anddatabases.

This role is recommended at the Google Cloud project level for users interacting with CloudSpanner resources in the Google Cloud console.

Lowest-level resources where you can grant this role:

  • Instance
  • Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databases.get

spanner.databases.list

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instancePartitions.get

spanner.instancePartitions.list

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Note: When the assigned role isspanner.databaseReader, requests for aread-only transaction might occasionally fail with a permissions error. Toresolve this problem, seeManage the write-sessionsfraction.

Basic roles

Basic roles are project-level roles that predate IAM. SeeBasicroles for additional details.

Although Spanner supports the following basic roles, you shoulduse one of the predefined roles shown earlier whenever possible. Basic rolesinclude broad permissions that apply to all of your Google Cloud resources; incontrast, Spanner's predefined roles include fine-grainedpermissions that apply only to Spanner.

Basic roleDescription
roles/editorCan do all that aroles/viewer can do. Can also create instances and databases and write data into a database.
roles/ownerCan do all that aroles/editor can do. Can also modify access to databases and instances.
roles/viewerCan list and get the metadata of schemas and instances. Can also read and query using SQL on a database.

Custom roles

If thepredefined roles for Spanner don't address yourbusiness requirements, you can define your own custom roles with permissionsthat you specify.

Before you create a custom role, you must identify the tasks that you need toperform. You can then identify the permissions that are required for each taskand add these permissions to the custom role.

Custom roles for service account tasks

For most tasks, it's obvious which permissions you need to add to your customrole. For example, if you want your service account to be able to create adatabase, add the permissionspanner.databases.create to your custom role.

However, when you're reading or writing data in a Spanner table,you need to add several different permissions to your custom role. The followingtable shows which permissions are required for reading and writing data.

Service account taskRequired permissions
Create a backupspanner.backups.create
spanner.databases.createBackup
Read dataspanner.databases.select
spanner.sessions.create
spanner.sessions.delete
Restore a databasespanner.backups.restoreDatabase
spanner.databases.create
Insert, update, or delete dataspanner.databases.beginOrRollbackReadWriteTransaction
spanner.sessions.create
spanner.sessions.delete
spanner.databases.write

Custom roles for Google Cloud console tasks

To identify the list of permissions you need for a given task in theGoogle Cloud console, you determine the workflow for that task and compile thepermissions for that workflow. For example, to view the data in a table, youwould follow these steps in the Google Cloud console:

StepPermissions
1. Access the projectresourcemanager.projects.get
2. View the list of instancesspanner.instances.list
3. Select an instancespanner.instances.get
4. View the list of databasesspanner.databases.list
5. Select a database and a tablespanner.databases.getDdl
6. View data in a tablespanner.databases.select,spanner.sessions.create,spanner.sessions.delete

In this example, you need these permissions:

  • resourcemanager.projects.get
  • spanner.databases.getDdl
  • spanner.databases.list
  • spanner.databases.select
  • spanner.instances.get
  • spanner.instances.list
  • spanner.sessions.create
  • spanner.sessions.delete

The following table lists the permissions required for actions in theGoogle Cloud console.

PermissionsAction
spanner.databases.setIamPolicyAdd principals on the Permissions tab of the Database details page
spanner.instances.setIamPolicyAdd principals on the Permissions tab of the Instance page
spanner.backups.create
spanner.databases.createBackup
spanner.databases.list1
spanner.backupOperations.list1		Create a backup
spanner.backupSchedules.create
spanner.databases.createBackup		Create a backup schedule
spanner.databases.createCreate a database
spanner.instancePartitions.list
spanner.instancePartitionOperations.get
spanner.instancePartitions.create		Create an instance partition
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databases.updateDdl		Create a table
Update a table schema
spanner.instanceConfigs.list
spanner.instanceOperations.get
spanner.instances.create		Create an instance
spanner.backups.deleteDelete a backup
spanner.backupSchedules.deleteDelete a backup schedule
spanner.databases.dropDelete a database
spanner.instancePartitions.deleteDelete an instance partition
spanner.instances.deleteDelete an instance
spanner.instancePartitionOperations.get
spanner.instancePartitions.update		Modify an instance partition
spanner.instanceOperations.get
spanner.instances.update		Modify an instance
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.select
spanner.databases.write
spanner.sessions.create
spanner.sessions.delete		Modify data in a table
spanner.instanceConfigs.list
spanner.instances.get
spanner.backups.get
spanner.backups.restoreDatabase
spanner.instances.list
spanner.databases.create		Restore a database from a backup
spanner.databases.get
spanner.databases.getDdl		Select a database from the database list and view the schema on the Database details page
spanner.instances.getSelect an instance from the instance list to view the Instance Details page
spanner.backups.updateUpdate a backup
spanner.backupSchedules.updateUpdate a backup schedule
spanner.databases.select
spanner.sessions.create
spanner.sessions.delete		View data in the Data tab of the Database details page
Create and run a query
spanner.backups.list
spanner.backups.get		View the Backup/Restore page
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
spanner.instances.get		View the graphs in the Monitor tab on the Instance details page or the Database details page
spanner.backupOperations.listView the list of backup operations
spanner.databases.listView the list of databases on the Instance details page
resourcemanager.projects.get
spanner.instances.list		View the list of instances on the Instances page
spanner.databaseOperations.listView the list of restore operations
spanner.databases.getIamPolicyView the list on the Permissions tab of the Database details page
spanner.instances.getIamPolicyView the list on the Permissions tab of the Instance page
1 Required if you are creating a backup from theBackup/Restore page at the instance level instead of the database level.

Spanner IAM policy management

You can get, set, and test IAM policies using the REST or RPCAPIs on Spanner instance, database, and backup resources.

Instances

REST APIRPC API
projects.instances.getIamPolicyGetIamPolicy
projects.instances.setIamPolicySetIamPolicy
projects.instances.testIamPermissionsTestIamPermissions

Databases

REST APIRPC API
projects.instances.databases.getIamPolicyGetIamPolicy
projects.instances.databases.setIamPolicySetIamPolicy
projects.instances.databases.testIamPermissionsTestIamPermissions

Backups

REST APIRPC API
projects.instances.backups.getIamPolicyGetIamPolicy
projects.instances.backups.setIamPolicySetIamPolicy
projects.instances.backups.testIamPermissionsTestIamPermissions

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.