Required permissions for common tasks in the Google Cloud console
For a list of roles and their associated permissions, see Cloud SQL roles.
| Task | Required additional permissions |
|---|---|
| Display the instance listing page |
cloudsql.instances.listresourcemanager.projects.get
|
| Create an instance |
cloudsql.instances.createcloudsql.instances.getcloudsql.instances.listresourcemanager.projects.get |
| Connect to an instance from the Cloud Shell |
cloudsql.instances.getcloudsql.instances.listcloudsql.instances.updateresourcemanager.projects.get
|
| Create a user |
cloudsql.instances.getcloudsql.instances.listcloudsql.users.createcloudsql.users.listresourcemanager.projects.get
|
| View instance information |
cloudsql.databases.listcloudsql.instances.getcloudsql.instances.listcloudsql.users.listmonitoring.timeSeries.listresourcemanager.projects.get
|
| List the operations of an instance |
cloudsql.instances.list
|
| Get the operations of an instance |
cloudsql.instances.get
|
| Get the operations of a project |
cloudsql.instances.get
|
| View instance metadata in Dataplex Catalog |
cloudsql.schemas.view
|
| List final backups |
cloudsql.backupRuns.list
|
| Describe a final backup |
cloudsql.backupRuns.get
|
| Update a final backup |
cloudsql.backupRuns.update
|
| Restore a final backup to a new instance |
cloudsql.backupRuns.getcloudsql.instances.restoreBackupcloudsql.instances.create
|
| Restore a final backup to an existing instance |
cloudsql.backupRuns.getcloudsql.instances.restoreBackup
|
| Delete a final backup |
cloudsql.backupRuns.delete
|
Required permissions for gcloud sql commands
| Command | Required permissions |
|---|---|
gcloud sql backups create |
cloudsql.backupRuns.create |
gcloud sql backups delete |
cloudsql.backupRuns.delete |
gcloud sql backups describe |
cloudsql.backupRuns.get |
gcloud sql backups list |
cloudsql.backupRuns.list |
gcloud sql backups restore |
cloudsql.backupRuns.getcloudsql.instances.restoreBackup |
gcloud sql connect |
cloudsql.instances.getcloudsql.instances.update |
gcloud sql databases create |
cloudsql.databases.create |
gcloud sql databases delete |
cloudsql.databases.delete |
gcloud sql databases describe |
cloudsql.databases.get |
gcloud sql databases list |
cloudsql.databases.list |
gcloud sql databases patch |
cloudsql.databases.getcloudsql.databases.update |
gcloud sql export |
cloudsql.instances.exportcloudsql.instances.get |
gcloud sql flags list |
None |
gcloud sql import |
cloudsql.instances.import |
gcloud sql instances clone |
cloudsql.instances.clone |
gcloud sql instances create |
cloudsql.instances.create |
gcloud sql instances delete |
cloudsql.instances.delete |
gcloud sql instances describe |
cloudsql.instances.get |
gcloud sql instances failover |
cloudsql.instances.failover |
gcloud sql instances import |
cloudsql.instances.import |
gcloud sql instances list |
cloudsql.instances.list |
gcloud sql instances patch |
cloudsql.instances.getcloudsql.instances.update |
gcloud sql instances promote-replica |
cloudsql.instances.promoteReplica |
gcloud sql instances reset-ssl-config |
cloudsql.instances.resetSslConfig |
gcloud sql instances restart |
cloudsql.instances.restart |
gcloud sql instances restore-backup |
cloudsql.backupRuns.getcloudsql.instances.restoreBackup |
gcloud sql operations describe |
cloudsql.instances.get |
gcloud sql operations list |
cloudsql.instances.get |
gcloud sql operations wait |
cloudsql.instances.get |
gcloud sql ssl client-certs create |
cloudsql.sslCerts.create |
gcloud sql ssl client-certs delete |
cloudsql.sslCerts.delete |
gcloud sql ssl client-certs describe |
cloudsql.sslCerts.list |
gcloud sql ssl client-certs list |
cloudsql.sslCerts.list |
gcloud sql tiers list |
None |
gcloud sql users create |
cloudsql.users.create |
gcloud sql users delete |
cloudsql.users.delete |
gcloud sql users list |
cloudsql.users.list |
gcloud sql users set-password |
cloudsql.users.update |
gcloud sql operations list |
cloudsql.instances.list |
gcloud sql operations get |
cloudsql.instances.get |
Required permissions for Cloud SQL Admin API methods
The following table lists the permissions that the caller must have to call
each method in the Cloud SQL Admin API, or to perform
tasks using Google Cloud tools that use the API (such as the
Google Cloud console or the gcloud command line tool).
For more information, see Authorizing requests with OAuth 2.0. All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.
| Method | Required permissions |
|---|---|
backups.deleteBackup |
cloudsql.backupRuns.delete |
backups.getBackup |
cloudsql.backupRuns.get |
backups.updateBackup |
cloudsql.backupRuns.update |
backups.listBackups |
cloudsql.backupRuns.list |
backups.createBackup |
cloudsql.backupRuns.create |
databases.delete |
cloudsql.databases.delete |
databases.get |
cloudsql.databases.get |
databases.insert |
cloudsql.databases.create |
databases.list |
cloudsql.databases.list |
databases.patch |
cloudsql.databases.update, cloudsql.databases.get |
databases.update |
cloudsql.databases.update |
flags.list |
None |
instances.clone |
cloudsql.instances.clone |
instances.delete |
cloudsql.instances.delete |
instances.export |
cloudsql.instances.export |
instances.failover |
cloudsql.instances.failover |
instances.get |
cloudsql.instances.get |
instances.import |
cloudsql.instances.import |
instances.insert |
cloudsql.instances.create |
instances.list |
cloudsql.instances.list |
instances.patch |
cloudsql.instances.get, cloudsql.instances.update |
instances.promoteReplica |
cloudsql.instances.promoteReplica |
instances.resetSslConfig |
cloudsql.instances.resetSslConfig |
instances.restart |
cloudsql.instances.restart |
instances.restoreBackup |
cloudsql.instances.restoreBackup, cloudsql.backupRuns.get |
instances.startReplica |
cloudsql.instances.startReplica |
instances.stopReplica |
cloudsql.instances.stopReplica |
instances.truncateLog |
cloudsql.instances.truncateLog |
instances.update |
cloudsql.instances.update |
operations.get |
cloudsql.instances.get |
operations.get |
cloudsql.instances.get |
operations.list |
cloudsql.instances.get |
operations.list |
cloudsql.instances.list |
sslCerts.delete |
cloudsql.sslCerts.delete |
sslCerts.get |
cloudsql.sslCerts.get |
sslCerts.insert |
cloudsql.sslCerts.create |
sslCerts.list |
cloudsql.sslCerts.list |
users.delete |
cloudsql.users.delete |
users.insert |
cloudsql.users.create |
users.list |
cloudsql.users.list |
users.update |
cloudsql.users.update |