Cloud Spanner administration
When considering any database solution, price and security tend to be major factors. For Cloud Spanner, security is largely provided through Google Cloud IAM. Cloud Spanner supports resource-specific IAM policies down to the database, meaning project administrators can control which services and users can read, write, or modify databases within a given instance. As stated earlier in this chapter, it is a common pattern to maintain a single Cloud Spanner instance for a given project, and simply control access at the database layer.
Cloud Spanner IAM Roles
In addition to the three primitive IAM roles (owner, editor, viewer), Cloud Spanner supports five product-specific IAM roles:
- roles/spanner.admin: Full control over one or more instances
- roles/spanner.databaseAdmin: Full control over all databases within an instance
- roles/spanner.databaseReader: Read-only access and query executions
- roles/spanner.databaseUser: Full CRUD and DDL support for one or more databases
- roles...
