Cloud SQL permissions

MySQL  |  PostgreSQL  |  SQL Server

Required permissions for common tasks in the Google Cloud console

For a list of roles and their associated permissions, see Cloud SQL roles.

TaskRequired additional permissions
Display the instance listing pagecloudsql.instances.list
resourcemanager.projects.get
Create an instancecloudsql.instances.create
cloudsql.instances.get
cloudsql.instances.list
resourcemanager.projects.get
compute.machineTypes.list
compute.machineTypes.get
compute.projects.getroles/compute.viewer
Connect to an instance from the Cloud Shellcloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
resourcemanager.projects.get
Create a usercloudsql.instances.get
cloudsql.instances.list
cloudsql.users.create
cloudsql.users.list
resourcemanager.projects.get
View instance informationcloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.list
monitoring.timeSeries.list
resourcemanager.projects.get
List the operations of an instancecloudsql.instances.list
Get the operations of an instancecloudsql.instances.get
Get the operations of a projectcloudsql.instances.get
View instance metadata in Dataplex Universal Catalogcloudsql.schemas.view
List final backupscloudsql.backupRuns.list
Describe a final backupcloudsql.backupRuns.get
Update a final backupcloudsql.backupRuns.update
Restore a final backup to a new instancecloudsql.backupRuns.get
cloudsql.instances.restoreBackup
cloudsql.instances.create
Restore a final backup to an existing instancecloudsql.backupRuns.get
cloudsql.instances.restoreBackup
Delete a final backupcloudsql.backupRuns.delete

Required permissions for gcloud sql commands

CommandRequired permissions
gcloud sql backups createcloudsql.backupRuns.create
gcloud sql backups deletecloudsql.backupRuns.delete
gcloud sql backups describecloudsql.backupRuns.get
gcloud sql backups listcloudsql.backupRuns.list
gcloud sql backups restorecloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql connectcloudsql.instances.get
cloudsql.instances.update
gcloud sql databases createcloudsql.databases.create
gcloud sql databases deletecloudsql.databases.delete
gcloud sql databases describecloudsql.databases.get
gcloud sql databases listcloudsql.databases.list
gcloud sql databases patchcloudsql.databases.get
cloudsql.databases.update
gcloud sql exportcloudsql.instances.export
cloudsql.instances.get
gcloud sql flags listNone
gcloud sql importcloudsql.instances.import
gcloud sql instances clonecloudsql.instances.clone
gcloud sql instances createcloudsql.instances.create
gcloud sql instances deletecloudsql.instances.delete
gcloud sql instances describecloudsql.instances.get
gcloud sql instances failovercloudsql.instances.failover
gcloud sql instances importcloudsql.instances.import
gcloud sql instances listcloudsql.instances.list
gcloud sql instances patchcloudsql.instances.get
cloudsql.instances.update
gcloud sql instances promote-replicacloudsql.instances.promoteReplica
gcloud sql instances reset-ssl-configcloudsql.instances.resetSslConfig
gcloud sql instances restartcloudsql.instances.restart
gcloud sql instances restore-backupcloudsql.backupRuns.get
cloudsql.instances.restoreBackup
gcloud sql operations describecloudsql.instances.get
gcloud sql operations listcloudsql.instances.get
gcloud sql operations waitcloudsql.instances.get
gcloud sql ssl client-certs createcloudsql.sslCerts.create
gcloud sql ssl client-certs deletecloudsql.sslCerts.delete
gcloud sql ssl client-certs describecloudsql.sslCerts.list
gcloud sql ssl client-certs listcloudsql.sslCerts.list
gcloud sql tiers listNone
gcloud sql users createcloudsql.users.create
gcloud sql users deletecloudsql.users.delete
gcloud sql users listcloudsql.users.list
gcloud sql users set-passwordcloudsql.users.update
gcloud sql operations listcloudsql.instances.list
gcloud sql operations getcloudsql.instances.get

Required permissions for Cloud SQL Admin API methods

The following table lists the permissions that the caller must have to calleach method in the Cloud SQL Admin API, or to performtasks using Google Cloud tools that use the API (such as theGoogle Cloud console or thegcloud command line tool).

Note: To call a method, you must also have the required scopes as describedin the method's reference page, in addition to the following permissions.

For more information, seeAuthorizing requests with OAuth 2.0.All permissions are applied to the project. You cannot apply differentpermissions based on the instance or other lower-level object.

MethodRequired permissions
backups.deleteBackupcloudsql.backupRuns.delete
backups.getBackupcloudsql.backupRuns.get
backups.updateBackupcloudsql.backupRuns.update
backups.listBackupscloudsql.backupRuns.list
backups.createBackupcloudsql.backupRuns.create
databases.deletecloudsql.databases.delete
databases.getcloudsql.databases.get
databases.insertcloudsql.databases.create
databases.listcloudsql.databases.list
databases.patchcloudsql.databases.update,cloudsql.databases.get
databases.updatecloudsql.databases.update
flags.listNone
instances.clonecloudsql.instances.clone
instances.deletecloudsql.instances.delete
instances.exportcloudsql.instances.export
instances.failovercloudsql.instances.failover
instances.getcloudsql.instances.get
instances.importcloudsql.instances.import
instances.insertcloudsql.instances.create
instances.listcloudsql.instances.list
instances.patchcloudsql.instances.get,cloudsql.instances.update
instances.promoteReplicacloudsql.instances.promoteReplica
instances.resetSslConfigcloudsql.instances.resetSslConfig
instances.restartcloudsql.instances.restart
instances.restoreBackupcloudsql.instances.restoreBackup,cloudsql.backupRuns.get
instances.startReplicacloudsql.instances.startReplica
instances.stopReplicacloudsql.instances.stopReplica
instances.truncateLogcloudsql.instances.truncateLog
instances.updatecloudsql.instances.update
operations.getcloudsql.instances.get
operations.getcloudsql.instances.get
operations.listcloudsql.instances.get
operations.listcloudsql.instances.list
sslCerts.deletecloudsql.sslCerts.delete
sslCerts.getcloudsql.sslCerts.get
sslCerts.insertcloudsql.sslCerts.create
sslCerts.listcloudsql.sslCerts.list
users.deletecloudsql.users.delete
users.insertcloudsql.users.create
users.listcloudsql.users.list
users.updatecloudsql.users.update

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.