Spanner roles and permissions

This page lists the IAM roles and permissions for Spanner. To search through all roles and permissions, see the role and permission index .

Spanner roles

Role

Permissions

Cloud Spanner Admin

( roles/ spanner.admin )

Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:

Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.

Lowest-level resources where you can grant this role:

Instance
Database

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms. projects. showEffectiveAutokeyConfig

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.*

spanner. backupOperations. cancel
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner. backupSchedules. getIamPolicy
spanner.backupSchedules.list
spanner. backupSchedules. setIamPolicy
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner. backups. restoreDatabase
spanner.backups.setIamPolicy
spanner.backups.update
spanner. databaseOperations. cancel
spanner.databaseOperations.get
spanner. databaseOperations. list
spanner.databaseRoles.list
spanner.databases.adapt
spanner. databases. addSplitPoints
spanner. databases. beginOrRollbackReadWriteTransaction
spanner. databases. beginPartitionedDmlTransaction
spanner. databases. beginReadOnlyTransaction
spanner.databases.changequorum
spanner.databases.create
spanner.databases.createBackup
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner. databases. partitionQuery
spanner. databases. partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.useDataBoost
spanner. databases. useRoleBasedAccess
spanner.databases.write
spanner. instanceConfigOperations. cancel
spanner. instanceConfigOperations. delete
spanner. instanceConfigOperations. get
spanner. instanceConfigOperations. list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instanceConfigs.update
spanner. instanceOperations. cancel
spanner. instanceOperations. delete
spanner.instanceOperations.get
spanner. instanceOperations. list
spanner. instancePartitionOperations. cancel
spanner. instancePartitionOperations. delete
spanner. instancePartitionOperations. get
spanner. instancePartitionOperations. list
spanner. instancePartitions. create
spanner. instancePartitions. delete
spanner.instancePartitions.get
spanner. instancePartitions. list
spanner. instancePartitions. update
spanner.instances.create
spanner. instances. createTagBinding
spanner.instances.delete
spanner. instances. deleteTagBinding
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner. instances. listEffectiveTags
spanner. instances. listTagBindings
spanner.instances.setIamPolicy
spanner.instances.update
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Backup Admin

( roles/ spanner.backupAdmin )

A principal with this role can:

Create, view, update, and delete backups.
View and manage a backup's allow policy.

This role cannot restore a database from a backup.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

spanner. backupOperations. cancel
spanner.backupOperations.get
spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.delete

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backupSchedules.update

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner. instancePartitions. list

spanner. instances. createTagBinding

spanner. instances. deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner. instances. listEffectiveTags

spanner. instances. listTagBindings

Cloud Spanner Backup Writer

( roles/ spanner.backupWriter )

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

Lowest-level resources where you can grant this role:

Instance
Database

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backupSchedules.create

spanner.backupSchedules.get

spanner.backupSchedules.list

spanner.backups.copy

spanner.backups.create

spanner.backups.get

spanner.backups.list

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner.instances.get

Cloud Spanner Database Admin

( roles/ spanner.databaseAdmin )

A principal with this role can:

Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.

Lowest-level resources where you can grant this role:

Instance
Database

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms. projects. showEffectiveAutokeyConfig

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databaseOperations.*

spanner. databaseOperations. cancel
spanner.databaseOperations.get
spanner. databaseOperations. list

spanner.databaseRoles.list

spanner.databases.adapt

spanner. databases. addSplitPoints

spanner. databases. beginOrRollbackReadWriteTransaction

spanner. databases. beginPartitionedDmlTransaction

spanner. databases. beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner. databases. partitionQuery

spanner. databases. partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.useDataBoost

spanner. databases. useRoleBasedAccess

spanner.databases.write

spanner.instancePartitions.get

spanner. instancePartitions. list

spanner. instances. createTagBinding

spanner. instances. deleteTagBinding

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner. instances. listEffectiveTags

spanner. instances. listTagBindings

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Reader

( roles/ spanner.databaseReader )

A principal with this role can:

Read from the Spanner database.
Execute SQL queries on the database.
View schema for the database.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner. databases. beginReadOnlyTransaction

spanner.databases.getDdl

spanner. databases. partitionQuery

spanner. databases. partitionRead

spanner.databases.read

spanner.databases.select

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Reader with DataBoost

( roles/ spanner.databaseReaderWithDataBoost )

Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner. databases. beginReadOnlyTransaction

spanner.databases.getDdl

spanner. databases. partitionQuery

spanner. databases. partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.useDataBoost

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Role User

( roles/ spanner.databaseRoleUser )

In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.

Lowest-level resources where you can grant this role:

Instance
Database

Cloud Spanner Database User

( roles/ spanner.databaseUser )

A principal with this role can:

Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.create

spanner.databaseOperations.*

spanner. databaseOperations. cancel
spanner.databaseOperations.get
spanner. databaseOperations. list

spanner.databases.adapt

spanner. databases. beginOrRollbackReadWriteTransaction

spanner. databases. beginPartitionedDmlTransaction

spanner. databases. beginReadOnlyTransaction

spanner.databases.changequorum

spanner.databases.getDdl

spanner. databases. partitionQuery

spanner. databases. partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.write

spanner.instancePartitions.get

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Fine-grained Access User

( roles/ spanner.fineGrainedAccessUser )

Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.

Lowest-level resources where you can grant this role:

Instance
Database

spanner.databaseRoles.list

spanner. databases. useRoleBasedAccess

Cloud Spanner Restore Admin

( roles/ spanner.restoreAdmin )

A principal with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backups.get

spanner.backups.list

spanner. backups. restoreDatabase

spanner.databaseOperations.*

spanner. databaseOperations. cancel
spanner.databaseOperations.get
spanner. databaseOperations. list

spanner.databases.create

spanner.databases.get

spanner.databases.list

spanner.instancePartitions.get

spanner. instancePartitions. list

spanner. instances. createTagBinding

spanner. instances. deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner. instances. listEffectiveTags

spanner. instances. listTagBindings

Cloud Spanner API Service Agent

( roles/ spanner.serviceAgent )

Cloud Spanner API Service Agent

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.models.get

aiplatform.models.list

compute.disks.create

compute.disks.createTagBinding

compute.disks.use

compute.instances.create

compute. instances. createTagBinding

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute. instances. setServiceAccount

compute.networks.create

compute.networks.use

compute.networks.useExternalIp

compute.subnetworks.create

compute.subnetworks.use

compute. subnetworks. useExternalIp

logging.logEntries.create

spanner. databases. beginReadOnlyTransaction

spanner. databases. partitionQuery

spanner.databases.select

spanner.databases.useDataBoost

spanner.sessions.create

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Cloud Spanner Viewer

( roles/ spanner.viewer )

A principal with this role can:

View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases.

This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console.

Lowest-level resources where you can grant this role:

Instance
Database

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databases.list

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instancePartitions.get

spanner. instancePartitions. list

spanner.instances.get

spanner.instances.list

spanner. instances. listEffectiveTags

spanner. instances. listTagBindings

Spanner permissions

Permission

Included in roles

`spanner. backupOperations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backupOperations.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.backupOperations.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.backupSchedules.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.backupSchedules.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backupSchedules.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner. backupSchedules. getIamPolicy`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.backupSchedules.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner. backupSchedules. setIamPolicy`

Owner ( roles/ owner )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.backupSchedules.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backups.copy`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.backups.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.backups.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backups.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

`spanner.backups.getIamPolicy`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backups.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

`spanner. backups. restoreDatabase`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

`spanner.backups.setIamPolicy`

Owner ( roles/ owner )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner.backups.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

`spanner. databaseOperations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databaseOperations.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner. databaseOperations. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databaseRoles.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Fine-grained Access User ( roles/ spanner.fineGrainedAccessUser )

`spanner.databases.adapt`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. databases. addSplitPoints`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

`spanner. databases. beginOrRollbackReadWriteTransaction`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. databases. beginPartitionedDmlTransaction`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. databases. beginReadOnlyTransaction`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Discovery Engine Service Agent ( roles/ discoveryengine.serviceAgent )
Cloud Spanner API Service Agent ( roles/ spanner.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.changequorum`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.databases.createBackup`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

`spanner.databases.drop`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.databases.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.databases.getDdl`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.getIamPolicy`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

`spanner.databases.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. databases. partitionQuery`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Discovery Engine Service Agent ( roles/ discoveryengine.serviceAgent )
Cloud Spanner API Service Agent ( roles/ spanner.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. databases. partitionRead`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.read`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.select`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Discovery Engine Service Agent ( roles/ discoveryengine.serviceAgent )
Cloud Spanner API Service Agent ( roles/ spanner.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.databases.setIamPolicy`

Owner ( roles/ owner )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

`spanner.databases.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

`spanner.databases.updateDdl`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.databases.useDataBoost`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Service agent roles

Discovery Engine Service Agent ( roles/ discoveryengine.serviceAgent )
Cloud Spanner API Service Agent ( roles/ spanner.serviceAgent )
Datastream Service Agent ( roles/ datastream.serviceAgent )

`spanner. databases. useRoleBasedAccess`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Fine-grained Access User ( roles/ spanner.fineGrainedAccessUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )

`spanner.databases.write`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. instanceConfigOperations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instanceConfigOperations. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instanceConfigOperations. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instanceConfigOperations. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instanceConfigs.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instanceConfigs.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instanceConfigs.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.instanceConfigs.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.instanceConfigs.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instanceOperations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instanceOperations. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instanceOperations.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner. instanceOperations. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitionOperations. cancel`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitionOperations. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitionOperations. get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitionOperations. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitions. create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner. instancePartitions. delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instancePartitions.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. instancePartitions. list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. instancePartitions. update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instances.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner. instances. createTagBinding`

Owner ( roles/ owner )

DLP Organization Data Profiles Driver ( roles/ dlp.orgdriver )

DLP Project Data Profiles Driver ( roles/ dlp.projectdriver )

Databases Admin ( roles/ iam.databasesAdmin )

Tag User ( roles/ resourcemanager.tagUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

`spanner.instances.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner. instances. deleteTagBinding`

Owner ( roles/ owner )

DLP Organization Data Profiles Driver ( roles/ dlp.orgdriver )

DLP Project Data Profiles Driver ( roles/ dlp.projectdriver )

Databases Admin ( roles/ iam.databasesAdmin )

Tag User ( roles/ resourcemanager.tagUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

`spanner.instances.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Backup Writer ( roles/ spanner.backupWriter )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.instances.getIamPolicy`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

`spanner.instances.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. instances. listEffectiveTags`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

DLP Organization Data Profiles Driver ( roles/ dlp.orgdriver )

DLP Project Data Profiles Driver ( roles/ dlp.projectdriver )

Databases Admin ( roles/ iam.databasesAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Tag User ( roles/ resourcemanager.tagUser )

Tag Viewer ( roles/ resourcemanager.tagViewer )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner. instances. listTagBindings`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

DLP Organization Data Profiles Driver ( roles/ dlp.orgdriver )

DLP Project Data Profiles Driver ( roles/ dlp.projectdriver )

Databases Admin ( roles/ iam.databasesAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Site Reliability Engineer ( roles/ iam.siteReliabilityEngineer )

Support User ( roles/ iam.supportUser )

Tag User ( roles/ resourcemanager.tagUser )

Tag Viewer ( roles/ resourcemanager.tagViewer )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Backup Admin ( roles/ spanner.backupAdmin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Restore Admin ( roles/ spanner.restoreAdmin )

Cloud Spanner Viewer ( roles/ spanner.viewer )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.instances.setIamPolicy`

Owner ( roles/ owner )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

`spanner.instances.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

Databases Admin ( roles/ iam.databasesAdmin )

Cloud Spanner Admin ( roles/ spanner.admin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`spanner.sessions.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Discovery Engine Service Agent ( roles/ discoveryengine.serviceAgent )
Cloud Spanner API Service Agent ( roles/ spanner.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.sessions.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.sessions.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Datastream Service Agent ( roles/ datastream.serviceAgent )
Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )

`spanner.sessions.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Cloud Spanner Admin ( roles/ spanner.admin )

Cloud Spanner Database Admin ( roles/ spanner.databaseAdmin )

Cloud Spanner Database Reader ( roles/ spanner.databaseReader )

Cloud Spanner Database Reader with DataBoost ( roles/ spanner.databaseReaderWithDataBoost )

Cloud Spanner Database User ( roles/ spanner.databaseUser )

Service agent roles

Cloud Data Fusion API Service Agent ( roles/ datafusion.serviceAgent )