Cloud SQL roles and permissions

This page lists the IAM roles and permissions for Cloud SQL. To search through all roles and permissions, see the role and permission index.

Cloud SQL roles

Role Permissions

Role	Permissions
Cloud SQL Admin (`roles/cloudsql.admin`) Provides full control of Cloud SQL resources. Lowest-level resources where you can grant this role: Project	`backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.locations.list` `backupdr.operations.get` `backupdr.serviceConfig.initialize` `cloudaicompanion.companions.` `cloudaicompanion.companions.generateChat` `cloudaicompanion.companions.generateCode` `cloudaicompanion.entitlements.get` `cloudaicompanion.instances.completeCode` `cloudaicompanion.instances.generateCode` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `cloudsql.` `cloudsql.backupRuns.create` `cloudsql.backupRuns.delete` `cloudsql.backupRuns.export` `cloudsql.backupRuns.get` `cloudsql.backupRuns.list` `cloudsql.backupRuns.update` `cloudsql.databases.create` `cloudsql.databases.delete` `cloudsql.databases.get` `cloudsql.databases.list` `cloudsql.databases.update` `cloudsql.instances.addServerCa` `cloudsql.instances.addServerCertificate` `cloudsql.instances.clone` `cloudsql.instances.connect` `cloudsql.instances.create` `cloudsql.instances.createBackupDrBackup` `cloudsql.instances.createTagBinding` `cloudsql.instances.delete` `cloudsql.instances.deleteTagBinding` `cloudsql.instances.demoteMaster` `cloudsql.instances.executeSql` `cloudsql.instances.export` `cloudsql.instances.failover` `cloudsql.instances.get` `cloudsql.instances.getDiskShrinkConfig` `cloudsql.instances.import` `cloudsql.instances.list` `cloudsql.instances.listEffectiveTags` `cloudsql.instances.listServerCas` `cloudsql.instances.listServerCertificates` `cloudsql.instances.listTagBindings` `cloudsql.instances.login` `cloudsql.instances.manageEncryption` `cloudsql.instances.migrate` `cloudsql.instances.performDiskShrink` `cloudsql.instances.preCheckMajorVersionUpgrade` `cloudsql.instances.promoteReplica` `cloudsql.instances.reencrypt` `cloudsql.instances.resetReplicaSize` `cloudsql.instances.resetSslConfig` `cloudsql.instances.restart` `cloudsql.instances.restoreBackup` `cloudsql.instances.rotateServerCa` `cloudsql.instances.rotateServerCertificate` `cloudsql.instances.startReplica` `cloudsql.instances.stopReplica` `cloudsql.instances.truncateLog` `cloudsql.instances.update` `cloudsql.instances.updateBackupDrConfig` `cloudsql.schemas.view` `cloudsql.sslCerts.create` `cloudsql.sslCerts.delete` `cloudsql.sslCerts.get` `cloudsql.sslCerts.list` `cloudsql.users.create` `cloudsql.users.delete` `cloudsql.users.get` `cloudsql.users.list` `cloudsql.users.update` `databasesconsole.locations.` `databasesconsole.locations.get` `databasesconsole.locations.list` `databasesconsole.studioQueries.` `databasesconsole.studioQueries.create` `databasesconsole.studioQueries.delete` `databasesconsole.studioQueries.get` `databasesconsole.studioQueries.list` `databasesconsole.studioQueries.search` `databasesconsole.studioQueries.update` `monitoring.timeSeries.list` `recommender.cloudsqlIdleInstanceRecommendations.` `recommender.cloudsqlIdleInstanceRecommendations.get` `recommender.cloudsqlIdleInstanceRecommendations.list` `recommender.cloudsqlIdleInstanceRecommendations.update` `recommender.cloudsqlInstanceActivityInsights.` `recommender.cloudsqlInstanceActivityInsights.get` `recommender.cloudsqlInstanceActivityInsights.list` `recommender.cloudsqlInstanceActivityInsights.update` `recommender.cloudsqlInstanceCpuUsageInsights.` `recommender.cloudsqlInstanceCpuUsageInsights.get` `recommender.cloudsqlInstanceCpuUsageInsights.list` `recommender.cloudsqlInstanceCpuUsageInsights.update` `recommender.cloudsqlInstanceDiskUsageTrendInsights.` `recommender.cloudsqlInstanceDiskUsageTrendInsights.get` `recommender.cloudsqlInstanceDiskUsageTrendInsights.list` `recommender.cloudsqlInstanceDiskUsageTrendInsights.update` `recommender.cloudsqlInstanceMemoryUsageInsights.` `recommender.cloudsqlInstanceMemoryUsageInsights.get` `recommender.cloudsqlInstanceMemoryUsageInsights.list` `recommender.cloudsqlInstanceMemoryUsageInsights.update` `recommender.cloudsqlInstanceOomProbabilityInsights.` `recommender.cloudsqlInstanceOomProbabilityInsights.get` `recommender.cloudsqlInstanceOomProbabilityInsights.list` `recommender.cloudsqlInstanceOomProbabilityInsights.update` `recommender.cloudsqlInstanceOutOfDiskRecommendations.` `recommender.cloudsqlInstanceOutOfDiskRecommendations.get` `recommender.cloudsqlInstanceOutOfDiskRecommendations.list` `recommender.cloudsqlInstanceOutOfDiskRecommendations.update` `recommender.cloudsqlInstancePerformanceInsights.` `recommender.cloudsqlInstancePerformanceInsights.get` `recommender.cloudsqlInstancePerformanceInsights.list` `recommender.cloudsqlInstancePerformanceInsights.update` `recommender.cloudsqlInstancePerformanceRecommendations.` `recommender.cloudsqlInstancePerformanceRecommendations.get` `recommender.cloudsqlInstancePerformanceRecommendations.list` `recommender.cloudsqlInstancePerformanceRecommendations.update` `recommender.cloudsqlInstanceReliabilityInsights.` `recommender.cloudsqlInstanceReliabilityInsights.get` `recommender.cloudsqlInstanceReliabilityInsights.list` `recommender.cloudsqlInstanceReliabilityInsights.update` `recommender.cloudsqlInstanceReliabilityRecommendations.` `recommender.cloudsqlInstanceReliabilityRecommendations.get` `recommender.cloudsqlInstanceReliabilityRecommendations.list` `recommender.cloudsqlInstanceReliabilityRecommendations.update` `recommender.cloudsqlInstanceSecurityInsights.` `recommender.cloudsqlInstanceSecurityInsights.get` `recommender.cloudsqlInstanceSecurityInsights.list` `recommender.cloudsqlInstanceSecurityInsights.update` `recommender.cloudsqlInstanceSecurityRecommendations.` `recommender.cloudsqlInstanceSecurityRecommendations.get` `recommender.cloudsqlInstanceSecurityRecommendations.list` `recommender.cloudsqlInstanceSecurityRecommendations.update` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update` `recommender.cloudsqlOverprovisionedInstanceRecommendations.` `recommender.cloudsqlOverprovisionedInstanceRecommendations.get` `recommender.cloudsqlOverprovisionedInstanceRecommendations.list` `recommender.cloudsqlOverprovisionedInstanceRecommendations.update` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.get` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.list` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Cloud SQL Client (`roles/cloudsql.client`) Provides connectivity access to Cloud SQL instances. Lowest-level resources where you can grant this role: Project	`cloudsql.instances.connect` `cloudsql.instances.get`
Cloud SQL Editor (`roles/cloudsql.editor`) Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Lowest-level resources where you can grant this role: Project	`cloudaicompanion.entitlements.get` `cloudsql.backupRuns.create` `cloudsql.backupRuns.export` `cloudsql.backupRuns.get` `cloudsql.backupRuns.list` `cloudsql.backupRuns.update` `cloudsql.databases.create` `cloudsql.databases.get` `cloudsql.databases.list` `cloudsql.databases.update` `cloudsql.instances.addServerCa` `cloudsql.instances.addServerCertificate` `cloudsql.instances.connect` `cloudsql.instances.export` `cloudsql.instances.failover` `cloudsql.instances.get` `cloudsql.instances.getDiskShrinkConfig` `cloudsql.instances.list` `cloudsql.instances.listEffectiveTags` `cloudsql.instances.listServerCas` `cloudsql.instances.listServerCertificates` `cloudsql.instances.listTagBindings` `cloudsql.instances.migrate` `cloudsql.instances.performDiskShrink` `cloudsql.instances.preCheckMajorVersionUpgrade` `cloudsql.instances.reencrypt` `cloudsql.instances.resetReplicaSize` `cloudsql.instances.restart` `cloudsql.instances.rotateServerCa` `cloudsql.instances.rotateServerCertificate` `cloudsql.instances.truncateLog` `cloudsql.instances.update` `cloudsql.schemas.view` `cloudsql.sslCerts.get` `cloudsql.sslCerts.list` `cloudsql.users.get` `cloudsql.users.list` `monitoring.timeSeries.list` `recommender.cloudsqlIdleInstanceRecommendations.` `recommender.cloudsqlIdleInstanceRecommendations.get` `recommender.cloudsqlIdleInstanceRecommendations.list` `recommender.cloudsqlIdleInstanceRecommendations.update` `recommender.cloudsqlInstanceActivityInsights.` `recommender.cloudsqlInstanceActivityInsights.get` `recommender.cloudsqlInstanceActivityInsights.list` `recommender.cloudsqlInstanceActivityInsights.update` `recommender.cloudsqlInstanceCpuUsageInsights.` `recommender.cloudsqlInstanceCpuUsageInsights.get` `recommender.cloudsqlInstanceCpuUsageInsights.list` `recommender.cloudsqlInstanceCpuUsageInsights.update` `recommender.cloudsqlInstanceDiskUsageTrendInsights.` `recommender.cloudsqlInstanceDiskUsageTrendInsights.get` `recommender.cloudsqlInstanceDiskUsageTrendInsights.list` `recommender.cloudsqlInstanceDiskUsageTrendInsights.update` `recommender.cloudsqlInstanceMemoryUsageInsights.` `recommender.cloudsqlInstanceMemoryUsageInsights.get` `recommender.cloudsqlInstanceMemoryUsageInsights.list` `recommender.cloudsqlInstanceMemoryUsageInsights.update` `recommender.cloudsqlInstanceOomProbabilityInsights.` `recommender.cloudsqlInstanceOomProbabilityInsights.get` `recommender.cloudsqlInstanceOomProbabilityInsights.list` `recommender.cloudsqlInstanceOomProbabilityInsights.update` `recommender.cloudsqlInstanceOutOfDiskRecommendations.` `recommender.cloudsqlInstanceOutOfDiskRecommendations.get` `recommender.cloudsqlInstanceOutOfDiskRecommendations.list` `recommender.cloudsqlInstanceOutOfDiskRecommendations.update` `recommender.cloudsqlInstancePerformanceInsights.` `recommender.cloudsqlInstancePerformanceInsights.get` `recommender.cloudsqlInstancePerformanceInsights.list` `recommender.cloudsqlInstancePerformanceInsights.update` `recommender.cloudsqlInstancePerformanceRecommendations.` `recommender.cloudsqlInstancePerformanceRecommendations.get` `recommender.cloudsqlInstancePerformanceRecommendations.list` `recommender.cloudsqlInstancePerformanceRecommendations.update` `recommender.cloudsqlInstanceReliabilityInsights.` `recommender.cloudsqlInstanceReliabilityInsights.get` `recommender.cloudsqlInstanceReliabilityInsights.list` `recommender.cloudsqlInstanceReliabilityInsights.update` `recommender.cloudsqlInstanceReliabilityRecommendations.` `recommender.cloudsqlInstanceReliabilityRecommendations.get` `recommender.cloudsqlInstanceReliabilityRecommendations.list` `recommender.cloudsqlInstanceReliabilityRecommendations.update` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update` `recommender.cloudsqlOverprovisionedInstanceRecommendations.` `recommender.cloudsqlOverprovisionedInstanceRecommendations.get` `recommender.cloudsqlOverprovisionedInstanceRecommendations.list` `recommender.cloudsqlOverprovisionedInstanceRecommendations.update` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.get` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.list` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Cloud SQL Instance User (`roles/cloudsql.instanceUser`) Role allowing access to a Cloud SQL instance	`cloudsql.instances.executeSql` `cloudsql.instances.get` `cloudsql.instances.login`
Cloud SQL Schema Viewer (`roles/cloudsql.schemaViewer`) Role allowing access to the Cloud SQL instance schema on Dataplex	`cloudsql.schemas.view`
Cloud SQL Service Agent (`roles/cloudsql.serviceAgent`) Grants Cloud SQL access to services and APIs in the user project Warning: Do not grant service agent roles to any principals except service agents.	`cloudsql.instances.get`
Cloud SQL Studio User (`roles/cloudsql.studioUser`) Role allowing access to Cloud SQL Studio	`cloudaicompanion.companions.` `cloudaicompanion.companions.generateChat` `cloudaicompanion.companions.generateCode` `cloudaicompanion.instances.completeCode` `cloudaicompanion.instances.generateCode` `cloudsql.databases.list` `cloudsql.instances.executeSql` `cloudsql.instances.get` `cloudsql.instances.login` `cloudsql.users.list` `databasesconsole.locations.` `databasesconsole.locations.get` `databasesconsole.locations.list` `databasesconsole.studioQueries.search`
Cloud SQL Viewer (`roles/cloudsql.viewer`) Provides read-only access to Cloud SQL resources. Lowest-level resources where you can grant this role: Project	`cloudaicompanion.entitlements.get` `cloudsql.backupRuns.export` `cloudsql.backupRuns.get` `cloudsql.backupRuns.list` `cloudsql.databases.get` `cloudsql.databases.list` `cloudsql.instances.export` `cloudsql.instances.get` `cloudsql.instances.getDiskShrinkConfig` `cloudsql.instances.list` `cloudsql.instances.listEffectiveTags` `cloudsql.instances.listServerCas` `cloudsql.instances.listServerCertificates` `cloudsql.instances.listTagBindings` `cloudsql.instances.preCheckMajorVersionUpgrade` `cloudsql.sslCerts.get` `cloudsql.sslCerts.list` `cloudsql.users.get` `cloudsql.users.list` `monitoring.timeSeries.list` `recommender.cloudsqlIdleInstanceRecommendations.get` `recommender.cloudsqlIdleInstanceRecommendations.list` `recommender.cloudsqlInstanceActivityInsights.get` `recommender.cloudsqlInstanceActivityInsights.list` `recommender.cloudsqlInstanceCpuUsageInsights.get` `recommender.cloudsqlInstanceCpuUsageInsights.list` `recommender.cloudsqlInstanceDiskUsageTrendInsights.get` `recommender.cloudsqlInstanceDiskUsageTrendInsights.list` `recommender.cloudsqlInstanceMemoryUsageInsights.get` `recommender.cloudsqlInstanceMemoryUsageInsights.list` `recommender.cloudsqlInstanceOomProbabilityInsights.get` `recommender.cloudsqlInstanceOomProbabilityInsights.list` `recommender.cloudsqlInstanceOutOfDiskRecommendations.get` `recommender.cloudsqlInstanceOutOfDiskRecommendations.list` `recommender.cloudsqlInstancePerformanceInsights.get` `recommender.cloudsqlInstancePerformanceInsights.list` `recommender.cloudsqlInstancePerformanceRecommendations.get` `recommender.cloudsqlInstancePerformanceRecommendations.list` `recommender.cloudsqlInstanceReliabilityInsights.get` `recommender.cloudsqlInstanceReliabilityInsights.list` `recommender.cloudsqlInstanceReliabilityRecommendations.get` `recommender.cloudsqlInstanceReliabilityRecommendations.list` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get` `recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list` `recommender.cloudsqlOverprovisionedInstanceRecommendations.get` `recommender.cloudsqlOverprovisionedInstanceRecommendations.list` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.get` `recommender.cloudsqlUnderProvisionedInstanceRecommendations.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`

Cloud SQL Admin

(roles/cloudsql.admin)

Provides full control of Cloud SQL resources.

Lowest-level resources where you can grant this role:

Project

backupdr.backupPlanAssociations.createForCloudSqlInstance

backupdr.backupPlanAssociations.deleteForCloudSqlInstance

backupdr.backupPlanAssociations.fetchForCloudSqlInstance

backupdr.backupPlanAssociations.getForCloudSqlInstance

backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForCloudSqlInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.dataSourceReferences.fetchForCloudSqlInstance

backupdr.dataSourceReferences.getForCloudSqlInstance

backupdr.locations.list

backupdr.operations.get

backupdr.serviceConfig.initialize

cloudaicompanion.companions.*

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

cloudaicompanion.entitlements.get

cloudaicompanion.instances.completeCode

cloudaicompanion.instances.generateCode

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

cloudsql.*

cloudsql.backupRuns.create
cloudsql.backupRuns.delete
cloudsql.backupRuns.export
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.backupRuns.update
cloudsql.databases.create
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.addServerCertificate
cloudsql.instances.clone
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.createBackupDrBackup
cloudsql.instances.createTagBinding
cloudsql.instances.delete
cloudsql.instances.deleteTagBinding
cloudsql.instances.demoteMaster
cloudsql.instances.executeSql
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.getDiskShrinkConfig
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.listEffectiveTags
cloudsql.instances.listServerCas
cloudsql.instances.listServerCertificates
cloudsql.instances.listTagBindings
cloudsql.instances.login
cloudsql.instances.manageEncryption
cloudsql.instances.migrate
cloudsql.instances.performDiskShrink
cloudsql.instances.preCheckMajorVersionUpgrade
cloudsql.instances.promoteReplica
cloudsql.instances.reencrypt
cloudsql.instances.resetReplicaSize
cloudsql.instances.resetSslConfig
cloudsql.instances.restart
cloudsql.instances.restoreBackup
cloudsql.instances.rotateServerCa
cloudsql.instances.rotateServerCertificate
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.instances.updateBackupDrConfig
cloudsql.schemas.view
cloudsql.sslCerts.create
cloudsql.sslCerts.delete
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.get
cloudsql.users.list
cloudsql.users.update

databasesconsole.locations.*

databasesconsole.locations.get
databasesconsole.locations.list

databasesconsole.studioQueries.*

databasesconsole.studioQueries.create
databasesconsole.studioQueries.delete
databasesconsole.studioQueries.get
databasesconsole.studioQueries.list
databasesconsole.studioQueries.search
databasesconsole.studioQueries.update

monitoring.timeSeries.list

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud SQL Client

(roles/cloudsql.client)

Provides connectivity access to Cloud SQL instances.

Lowest-level resources where you can grant this role:

Project

cloudsql.instances.connect

cloudsql.instances.get

Cloud SQL Editor

(roles/cloudsql.editor)

Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.

Lowest-level resources where you can grant this role:

Project

cloudaicompanion.entitlements.get

cloudsql.backupRuns.create

cloudsql.backupRuns.export

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.backupRuns.update

cloudsql.databases.create

cloudsql.databases.get

cloudsql.databases.list

cloudsql.databases.update

cloudsql.instances.addServerCa

cloudsql.instances.addServerCertificate

cloudsql.instances.connect

cloudsql.instances.export

cloudsql.instances.failover

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listServerCertificates

cloudsql.instances.listTagBindings

cloudsql.instances.migrate

cloudsql.instances.performDiskShrink

cloudsql.instances.preCheckMajorVersionUpgrade

cloudsql.instances.reencrypt

cloudsql.instances.resetReplicaSize

cloudsql.instances.restart

cloudsql.instances.rotateServerCa

cloudsql.instances.rotateServerCertificate

cloudsql.instances.truncateLog

cloudsql.instances.update

cloudsql.schemas.view

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

monitoring.timeSeries.list

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud SQL Instance User

(roles/cloudsql.instanceUser)

Role allowing access to a Cloud SQL instance

cloudsql.instances.executeSql

cloudsql.instances.get

cloudsql.instances.login

Cloud SQL Schema Viewer

(roles/cloudsql.schemaViewer)

Role allowing access to the Cloud SQL instance schema on Dataplex

cloudsql.schemas.view

Cloud SQL Service Agent

(roles/cloudsql.serviceAgent)

Grants Cloud SQL access to services and APIs in the user project

cloudsql.instances.get

Cloud SQL Studio User

(roles/cloudsql.studioUser)

Role allowing access to Cloud SQL Studio

cloudaicompanion.companions.*

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

cloudaicompanion.instances.completeCode

cloudaicompanion.instances.generateCode

cloudsql.databases.list

cloudsql.instances.executeSql

cloudsql.instances.get

cloudsql.instances.login

cloudsql.users.list

databasesconsole.locations.*

databasesconsole.locations.get
databasesconsole.locations.list

databasesconsole.studioQueries.search

Cloud SQL Viewer

(roles/cloudsql.viewer)

Provides read-only access to Cloud SQL resources.

Lowest-level resources where you can grant this role:

Project

cloudaicompanion.entitlements.get

cloudsql.backupRuns.export

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.databases.get

cloudsql.databases.list

cloudsql.instances.export

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listServerCertificates

cloudsql.instances.listTagBindings

cloudsql.instances.preCheckMajorVersionUpgrade

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

monitoring.timeSeries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud SQL permissions

Permission	Included in roles
`cloudsql.backupRuns.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.backupRuns.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.backupRuns.export`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.backupRuns.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.backupRuns.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.backupRuns.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.databases.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.databases.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.databases.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.databases.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Studio User (`roles/cloudsql.studioUser`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.databases.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.addServerCa`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.addServerCertificate`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.clone`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.connect`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Client (`roles/cloudsql.client`) Cloud SQL Editor (`roles/cloudsql.editor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Dataproc Metastore Managed Migration Admin (`roles/metastore.migrationAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`)
`cloudsql.instances.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.createBackupDrBackup`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Backup and DR Cloud SQL Operator (`roles/backupdr.cloudSqlOperator`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Backup and DR Service Agent (`roles/backupdr.serviceAgent`)
`cloudsql.instances.createTagBinding`	Owner (`roles/owner`) Cloud SQL Admin (`roles/cloudsql.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.deleteTagBinding`	Owner (`roles/owner`) Cloud SQL Admin (`roles/cloudsql.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.demoteMaster`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.executeSql`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Instance User (`roles/cloudsql.instanceUser`) Cloud SQL Studio User (`roles/cloudsql.studioUser`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.export`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.failover`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Backup and DR Cloud SQL Operator (`roles/backupdr.cloudSqlOperator`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Client (`roles/cloudsql.client`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Instance User (`roles/cloudsql.instanceUser`) Cloud SQL Studio User (`roles/cloudsql.studioUser`) Cloud SQL Viewer (`roles/cloudsql.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Dataproc Metastore Managed Migration Admin (`roles/metastore.migrationAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Backup and DR Service Agent (`roles/backupdr.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud SQL Service Agent (`roles/cloudsql.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) GCP Network Management Service Agent (`roles/networkmanagement.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudsql.instances.getDiskShrinkConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.import`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) GCP Network Management Service Agent (`roles/networkmanagement.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`cloudsql.instances.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.listServerCas`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.listServerCertificates`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.login`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Instance User (`roles/cloudsql.instanceUser`) Cloud SQL Studio User (`roles/cloudsql.studioUser`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dataproc Metastore Managed Migration Admin (`roles/metastore.migrationAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.manageEncryption`	Owner (`roles/owner`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.migrate`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.performDiskShrink`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.preCheckMajorVersionUpgrade`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.promoteReplica`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.reencrypt`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.resetReplicaSize`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.resetSslConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.restart`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.restoreBackup`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.rotateServerCa`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.rotateServerCertificate`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.startReplica`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.stopReplica`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.truncateLog`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.instances.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.instances.updateBackupDrConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.schemas.view`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Schema Viewer (`roles/cloudsql.schemaViewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.sslCerts.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.sslCerts.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.sslCerts.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.sslCerts.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.users.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.users.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`cloudsql.users.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Firebase Data Connect Service Agent (`roles/firebasedataconnect.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.users.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud SQL Admin (`roles/cloudsql.admin`) Cloud SQL Editor (`roles/cloudsql.editor`) Cloud SQL Studio User (`roles/cloudsql.studioUser`) Cloud SQL Viewer (`roles/cloudsql.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`cloudsql.users.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud SQL Admin (`roles/cloudsql.admin`) Databases Admin (`roles/iam.databasesAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`)

Cloud SQL roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Cloud SQL roles

Cloud SQL Admin

Cloud SQL Client

Cloud SQL Editor

Cloud SQL Instance User

Cloud SQL Schema Viewer

Cloud SQL Service Agent

Cloud SQL Studio User

Cloud SQL Viewer

Cloud SQL permissions

cloudsql.backupRuns.create

cloudsql.backupRuns.delete

cloudsql.backupRuns.export

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.backupRuns.update

cloudsql.databases.create

cloudsql.databases.delete

cloudsql.databases.get

cloudsql.databases.list

cloudsql.databases.update

cloudsql.instances.addServerCa

cloudsql.instances.addServerCertificate

cloudsql.instances.clone

cloudsql.instances.connect

cloudsql.instances.create

cloudsql.instances.createBackupDrBackup

cloudsql.instances.createTagBinding

cloudsql.instances.delete

cloudsql.instances.deleteTagBinding

cloudsql.instances.demoteMaster

cloudsql.instances.executeSql

cloudsql.instances.export

cloudsql.instances.failover

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.import

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listServerCertificates

cloudsql.instances.listTagBindings

cloudsql.instances.login

cloudsql.instances.manageEncryption

cloudsql.instances.migrate

cloudsql.instances.performDiskShrink

cloudsql.instances.preCheckMajorVersionUpgrade

cloudsql.instances.promoteReplica

cloudsql.instances.reencrypt

cloudsql.instances.resetReplicaSize

cloudsql.instances.resetSslConfig

cloudsql.instances.restart

cloudsql.instances.restoreBackup

cloudsql.instances.rotateServerCa

cloudsql.instances.rotateServerCertificate

cloudsql.instances.startReplica

cloudsql.instances.stopReplica

cloudsql.instances.truncateLog

cloudsql.instances.update

cloudsql.instances.updateBackupDrConfig

cloudsql.schemas.view

cloudsql.sslCerts.create

cloudsql.sslCerts.delete

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.create

cloudsql.users.delete

cloudsql.users.get

cloudsql.users.list

cloudsql.users.update

Cloud SQL roles and permissions

`cloudsql.backupRuns.create`

`cloudsql.backupRuns.delete`

`cloudsql.backupRuns.export`

`cloudsql.backupRuns.get`

`cloudsql.backupRuns.list`

`cloudsql.backupRuns.update`

`cloudsql.databases.create`

`cloudsql.databases.delete`

`cloudsql.databases.get`

`cloudsql.databases.list`

`cloudsql.databases.update`

`cloudsql.instances.addServerCa`

`cloudsql.instances.addServerCertificate`

`cloudsql.instances.clone`

`cloudsql.instances.connect`

`cloudsql.instances.create`

`cloudsql.instances.createBackupDrBackup`

`cloudsql.instances.createTagBinding`

`cloudsql.instances.delete`

`cloudsql.instances.deleteTagBinding`

`cloudsql.instances.demoteMaster`

`cloudsql.instances.executeSql`

`cloudsql.instances.export`

`cloudsql.instances.failover`

`cloudsql.instances.get`

`cloudsql.instances.getDiskShrinkConfig`

`cloudsql.instances.import`

`cloudsql.instances.list`

`cloudsql.instances.listEffectiveTags`

`cloudsql.instances.listServerCas`

`cloudsql.instances.listServerCertificates`

`cloudsql.instances.listTagBindings`

`cloudsql.instances.login`

`cloudsql.instances.manageEncryption`

`cloudsql.instances.migrate`

`cloudsql.instances.performDiskShrink`

`cloudsql.instances.preCheckMajorVersionUpgrade`

`cloudsql.instances.promoteReplica`

`cloudsql.instances.reencrypt`

`cloudsql.instances.resetReplicaSize`

`cloudsql.instances.resetSslConfig`

`cloudsql.instances.restart`

`cloudsql.instances.restoreBackup`

`cloudsql.instances.rotateServerCa`

`cloudsql.instances.rotateServerCertificate`

`cloudsql.instances.startReplica`

`cloudsql.instances.stopReplica`

`cloudsql.instances.truncateLog`

`cloudsql.instances.update`

`cloudsql.instances.updateBackupDrConfig`

`cloudsql.schemas.view`

`cloudsql.sslCerts.create`

`cloudsql.sslCerts.delete`

`cloudsql.sslCerts.get`

`cloudsql.sslCerts.list`

`cloudsql.users.create`

`cloudsql.users.delete`

`cloudsql.users.get`

`cloudsql.users.list`

`cloudsql.users.update`