Required permissions for common tasks in the Google Cloud console
For a list of roles and their associated permissions, see Cloud SQL roles .
| Task | Required additional permissions |
|---|---|
| Display the instance listing page | cloudsql.instances.list
resourcemanager.projects.get
|
| Create an instance | cloudsql.instances.create
cloudsql.instances.get
cloudsql.instances.list
resourcemanager.projects.get
compute.machineTypes.list
compute.machineTypes.get
compute.projects.get
roles/compute.viewer
|
| Connect to an instance from the Cloud Shell | cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
resourcemanager.projects.get
|
| Create a user | cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.create
cloudsql.users.list
resourcemanager.projects.get
|
| View instance information | cloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list
cloudsql.users.list
monitoring.timeSeries.list
resourcemanager.projects.get
|
| List the operations of an instance | cloudsql.instances.list
|
| Get the operations of an instance | cloudsql.instances.get
|
| Get the operations of a project | cloudsql.instances.get
|
| View instance metadata in Dataplex Universal Catalog | cloudsql.schemas.view
|
| List final backups | cloudsql.backupRuns.list
|
| Describe a final backup | cloudsql.backupRuns.get
|
| Update a final backup | cloudsql.backupRuns.update
|
| Restore a final backup to a new instance | cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
cloudsql.instances.create
|
| Restore a final backup to an existing instance | cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
|
| Delete a final backup | cloudsql.backupRuns.delete
|
Required permissions for gcloud sql commands
| Command | Required permissions |
|---|---|
gcloud sql backups create
|
cloudsql.backupRuns.create
|
gcloud sql backups delete
|
cloudsql.backupRuns.delete
|
gcloud sql backups describe
|
cloudsql.backupRuns.get
|
gcloud sql backups list
|
cloudsql.backupRuns.list
|
gcloud sql backups restore
|
cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
|
gcloud sql connect
|
cloudsql.instances.get
cloudsql.instances.update
|
gcloud sql databases create
|
cloudsql.databases.create
|
gcloud sql databases delete
|
cloudsql.databases.delete
|
gcloud sql databases describe
|
cloudsql.databases.get
|
gcloud sql databases list
|
cloudsql.databases.list
|
gcloud sql databases patch
|
cloudsql.databases.get
cloudsql.databases.update
|
gcloud sql export
|
cloudsql.instances.export
cloudsql.instances.get
|
gcloud sql flags list
|
None |
gcloud sql import
|
cloudsql.instances.import
|
gcloud sql instances clone
|
cloudsql.instances.clone
|
gcloud sql instances create
|
cloudsql.instances.create
|
gcloud sql instances delete
|
cloudsql.instances.delete
|
gcloud sql instances describe
|
cloudsql.instances.get
|
gcloud sql instances failover
|
cloudsql.instances.failover
|
gcloud sql instances import
|
cloudsql.instances.import
|
gcloud sql instances list
|
cloudsql.instances.list
|
gcloud sql instances patch
|
cloudsql.instances.get
cloudsql.instances.update
|
gcloud sql instances promote-replica
|
cloudsql.instances.promoteReplica
|
gcloud sql instances reset-ssl-config
|
cloudsql.instances.resetSslConfig
|
gcloud sql instances restart
|
cloudsql.instances.restart
|
gcloud sql instances restore-backup
|
cloudsql.backupRuns.get
cloudsql.instances.restoreBackup
|
gcloud sql operations describe
|
cloudsql.instances.get
|
gcloud sql operations list
|
cloudsql.instances.get
|
gcloud sql operations wait
|
cloudsql.instances.get
|
gcloud sql ssl client-certs create
|
cloudsql.sslCerts.create
|
gcloud sql ssl client-certs delete
|
cloudsql.sslCerts.delete
|
gcloud sql ssl client-certs describe
|
cloudsql.sslCerts.list
|
gcloud sql ssl client-certs list
|
cloudsql.sslCerts.list
|
gcloud sql tiers list
|
None |
gcloud sql users create
|
cloudsql.users.create
|
gcloud sql users delete
|
cloudsql.users.delete
|
gcloud sql users list
|
cloudsql.users.list
|
gcloud sql users set-password
|
cloudsql.users.update
|
gcloud sql operations list
|
cloudsql.instances.list
|
gcloud sql operations get
|
cloudsql.instances.get
|
Required permissions for Cloud SQL Admin API methods
The following table lists the permissions that the caller must have to call
each method in the Cloud SQL Admin API, or to perform
tasks using Google Cloud tools that use the API (such as the
Google Cloud console or the gcloud
command line tool).
For more information, see Authorizing requests with OAuth 2.0 . All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.
| Method | Required permissions |
|---|---|
backups.deleteBackup
|
cloudsql.backupRuns.delete
|
backups.getBackup
|
cloudsql.backupRuns.get
|
backups.updateBackup
|
cloudsql.backupRuns.update
|
backups.listBackups
|
cloudsql.backupRuns.list
|
backups.createBackup
|
cloudsql.backupRuns.create
|
databases.delete
|
cloudsql.databases.delete
|
databases.get
|
cloudsql.databases.get
|
databases.insert
|
cloudsql.databases.create
|
databases.list
|
cloudsql.databases.list
|
databases.patch
|
cloudsql.databases.update
, cloudsql.databases.get
|
databases.update
|
cloudsql.databases.update
|
flags.list
|
None |
instances.clone
|
cloudsql.instances.clone
|
instances.delete
|
cloudsql.instances.delete
|
instances.export
|
cloudsql.instances.export
|
instances.failover
|
cloudsql.instances.failover
|
instances.get
|
cloudsql.instances.get
|
instances.import
|
cloudsql.instances.import
|
instances.insert
|
cloudsql.instances.create
|
instances.list
|
cloudsql.instances.list
|
instances.patch
|
cloudsql.instances.get
, cloudsql.instances.update
|
instances.promoteReplica
|
cloudsql.instances.promoteReplica
|
instances.resetSslConfig
|
cloudsql.instances.resetSslConfig
|
instances.restart
|
cloudsql.instances.restart
|
instances.restoreBackup
|
cloudsql.instances.restoreBackup
, cloudsql.backupRuns.get
|
instances.startReplica
|
cloudsql.instances.startReplica
|
instances.stopReplica
|
cloudsql.instances.stopReplica
|
instances.truncateLog
|
cloudsql.instances.truncateLog
|
instances.update
|
cloudsql.instances.update
|
operations.get
|
cloudsql.instances.get
|
operations.get
|
cloudsql.instances.get
|
operations.list
|
cloudsql.instances.get
|
operations.list
|
cloudsql.instances.list
|
sslCerts.delete
|
cloudsql.sslCerts.delete
|
sslCerts.get
|
cloudsql.sslCerts.get
|
sslCerts.insert
|
cloudsql.sslCerts.create
|
sslCerts.list
|
cloudsql.sslCerts.list
|
users.delete
|
cloudsql.users.delete
|
users.insert
|
cloudsql.users.create
|
users.list
|
cloudsql.users.list
|
users.update
|
cloudsql.users.update
|
