roles/spanner.admin
Full control of Cloud Spanner resources.
Cloud Spanner Admin
['monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'spanner.backupOperations.cancel', 'spanner.backupOperations.get', 'spanner.backupOperations.list', 'spanner.backupSchedules.create', 'spanner.backupSchedules.delete', 'spanner.backupSchedules.get', 'spanner.backupSchedules.getIamPolicy', 'spanner.backupSchedules.list', 'spanner.backupSchedules.setIamPolicy', 'spanner.backupSchedules.update', 'spanner.backups.copy', 'spanner.backups.create', 'spanner.backups.delete', 'spanner.backups.get', 'spanner.backups.getIamPolicy', 'spanner.backups.list', 'spanner.backups.restoreDatabase', 'spanner.backups.setIamPolicy', 'spanner.backups.update', 'spanner.databaseOperations.cancel', 'spanner.databaseOperations.get', 'spanner.databaseOperations.list', 'spanner.databaseRoles.list', 'spanner.databaseRoles.use', 'spanner.databases.beginOrRollbackReadWriteTransaction', 'spanner.databases.beginPartitionedDmlTransaction', 'spanner.databases.beginReadOnlyTransaction', 'spanner.databases.changequorum', 'spanner.databases.create', 'spanner.databases.createBackup', 'spanner.databases.drop', 'spanner.databases.get', 'spanner.databases.getDdl', 'spanner.databases.getIamPolicy', 'spanner.databases.list', 'spanner.databases.partitionQuery', 'spanner.databases.partitionRead', 'spanner.databases.read', 'spanner.databases.select', 'spanner.databases.setIamPolicy', 'spanner.databases.update', 'spanner.databases.updateDdl', 'spanner.databases.updateTag', 'spanner.databases.useDataBoost', 'spanner.databases.useRoleBasedAccess', 'spanner.databases.write', 'spanner.instanceConfigOperations.cancel', 'spanner.instanceConfigOperations.delete', 'spanner.instanceConfigOperations.get', 'spanner.instanceConfigOperations.list', 'spanner.instanceConfigs.create', 'spanner.instanceConfigs.delete', 'spanner.instanceConfigs.get', 'spanner.instanceConfigs.list', 'spanner.instanceConfigs.update', 'spanner.instanceOperations.cancel', 'spanner.instanceOperations.delete', 'spanner.instanceOperations.get', 'spanner.instanceOperations.list', 'spanner.instancePartitionOperations.cancel', 'spanner.instancePartitionOperations.delete', 'spanner.instancePartitionOperations.get', 'spanner.instancePartitionOperations.list', 'spanner.instancePartitions.create', 'spanner.instancePartitions.delete', 'spanner.instancePartitions.get', 'spanner.instancePartitions.list', 'spanner.instancePartitions.update', 'spanner.instances.create', 'spanner.instances.createTagBinding', 'spanner.instances.delete', 'spanner.instances.deleteTagBinding', 'spanner.instances.get', 'spanner.instances.getIamPolicy', 'spanner.instances.list', 'spanner.instances.listEffectiveTags', 'spanner.instances.listTagBindings', 'spanner.instances.setIamPolicy', 'spanner.instances.update', 'spanner.instances.updateTag', 'spanner.sessions.create', 'spanner.sessions.delete', 'spanner.sessions.get', 'spanner.sessions.list']
Copy Permissions
GA
roles/spanner.databaseReader
Access to read and/or query a Cloud Spanner database.
Cloud Spanner Database Reader
['spanner.databases.beginReadOnlyTransaction', 'spanner.databases.getDdl', 'spanner.databases.partitionQuery', 'spanner.databases.partitionRead', 'spanner.databases.read', 'spanner.databases.select', 'spanner.instancePartitions.get', 'spanner.instances.get', 'spanner.sessions.create', 'spanner.sessions.delete', 'spanner.sessions.get', 'spanner.sessions.list']
Copy Permissions
GA
roles/spanner.serviceAgent
Cloud Spanner API Service Agent
Cloud Spanner API Service Agent
['aiplatform.endpoints.get', 'aiplatform.endpoints.list', 'aiplatform.endpoints.predict', 'aiplatform.models.get', 'aiplatform.models.list']
Copy Permissions
GA
roles/spanner.databaseRoleUser
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/<your Spanner database role>`.
Cloud Spanner Database Role User
['spanner.databaseRoles.use']
Copy Permissions
GA
roles/spanner.backupWriter
Role with limited permissions to create and manage Cloud Spanner backups. Does not have permission to modify backups.
Cloud Spanner Backup Writer
['spanner.backupOperations.get', 'spanner.backupOperations.list', 'spanner.backupSchedules.create', 'spanner.backupSchedules.get', 'spanner.backupSchedules.list', 'spanner.backups.copy', 'spanner.backups.create', 'spanner.backups.get', 'spanner.backups.list', 'spanner.databases.createBackup', 'spanner.databases.get', 'spanner.databases.list', 'spanner.instancePartitions.get', 'spanner.instances.get']
Copy Permissions
GA
roles/spanner.backupAdmin
Administrator role to manage Cloud Spanner backups. Does not include permissions to restore from Cloud Spanner backups.
Cloud Spanner Backup Admin
['monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'spanner.backupOperations.cancel', 'spanner.backupOperations.get', 'spanner.backupOperations.list', 'spanner.backupSchedules.create', 'spanner.backupSchedules.delete', 'spanner.backupSchedules.get', 'spanner.backupSchedules.list', 'spanner.backupSchedules.update', 'spanner.backups.copy', 'spanner.backups.create', 'spanner.backups.delete', 'spanner.backups.get', 'spanner.backups.getIamPolicy', 'spanner.backups.list', 'spanner.backups.setIamPolicy', 'spanner.backups.update', 'spanner.databases.createBackup', 'spanner.databases.get', 'spanner.databases.list', 'spanner.instancePartitions.get', 'spanner.instancePartitions.list', 'spanner.instances.createTagBinding', 'spanner.instances.deleteTagBinding', 'spanner.instances.get', 'spanner.instances.list', 'spanner.instances.listEffectiveTags', 'spanner.instances.listTagBindings']
Copy Permissions
GA
roles/spanner.fineGrainedAccessUser
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the Cloud Spanner Database Role User IAM role and its necessary conditions.
Cloud Spanner Fine-grained Access User
['spanner.databaseRoles.list', 'spanner.databases.useRoleBasedAccess']
Copy Permissions
GA
roles/spanner.databaseAdmin
Full control of Cloud Spanner databases.
Cloud Spanner Database Admin
['monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'spanner.databaseOperations.cancel', 'spanner.databaseOperations.get', 'spanner.databaseOperations.list', 'spanner.databaseRoles.list', 'spanner.databaseRoles.use', 'spanner.databases.beginOrRollbackReadWriteTransaction', 'spanner.databases.beginPartitionedDmlTransaction', 'spanner.databases.beginReadOnlyTransaction', 'spanner.databases.changequorum', 'spanner.databases.create', 'spanner.databases.drop', 'spanner.databases.get', 'spanner.databases.getDdl', 'spanner.databases.getIamPolicy', 'spanner.databases.list', 'spanner.databases.partitionQuery', 'spanner.databases.partitionRead', 'spanner.databases.read', 'spanner.databases.select', 'spanner.databases.setIamPolicy', 'spanner.databases.update', 'spanner.databases.updateDdl', 'spanner.databases.updateTag', 'spanner.databases.useDataBoost', 'spanner.databases.useRoleBasedAccess', 'spanner.databases.write', 'spanner.instancePartitions.get', 'spanner.instancePartitions.list', 'spanner.instances.createTagBinding', 'spanner.instances.deleteTagBinding', 'spanner.instances.get', 'spanner.instances.getIamPolicy', 'spanner.instances.list', 'spanner.instances.listEffectiveTags', 'spanner.instances.listTagBindings', 'spanner.sessions.create', 'spanner.sessions.delete', 'spanner.sessions.get', 'spanner.sessions.list']
Copy Permissions
GA
roles/spanner.databaseUser
Access to read, query, write and view and change the schema of Cloud Spanner databases
Cloud Spanner Database User
['spanner.databaseOperations.cancel', 'spanner.databaseOperations.get', 'spanner.databaseOperations.list', 'spanner.databases.beginOrRollbackReadWriteTransaction', 'spanner.databases.beginPartitionedDmlTransaction', 'spanner.databases.beginReadOnlyTransaction', 'spanner.databases.changequorum', 'spanner.databases.getDdl', 'spanner.databases.partitionQuery', 'spanner.databases.partitionRead', 'spanner.databases.read', 'spanner.databases.select', 'spanner.databases.updateDdl', 'spanner.databases.updateTag', 'spanner.databases.write', 'spanner.instancePartitions.get', 'spanner.instances.get', 'spanner.sessions.create', 'spanner.sessions.delete', 'spanner.sessions.get', 'spanner.sessions.list']
Copy Permissions
GA
roles/spanner.viewer
Viewer access to Cloud Spanner resources.
Cloud Spanner Viewer
['monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'spanner.databases.list', 'spanner.instanceConfigs.get', 'spanner.instanceConfigs.list', 'spanner.instancePartitions.get', 'spanner.instancePartitions.list', 'spanner.instances.get', 'spanner.instances.list', 'spanner.instances.listEffectiveTags', 'spanner.instances.listTagBindings']
Copy Permissions
GA
roles/spanner.restoreAdmin
Administrator role to restore Cloud Spanner databases from Cloud Spanner backups.
Cloud Spanner Restore Admin
['monitoring.timeSeries.list', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'spanner.backups.get', 'spanner.backups.list', 'spanner.backups.restoreDatabase', 'spanner.databaseOperations.cancel', 'spanner.databaseOperations.get', 'spanner.databaseOperations.list', 'spanner.databases.create', 'spanner.databases.get', 'spanner.databases.list', 'spanner.instancePartitions.get', 'spanner.instancePartitions.list', 'spanner.instances.createTagBinding', 'spanner.instances.deleteTagBinding', 'spanner.instances.get', 'spanner.instances.list', 'spanner.instances.listEffectiveTags', 'spanner.instances.listTagBindings']
Copy Permissions
GA