Cloud SQL IAM and users
Cloud SQL employs two forms of access control: traditional GCP IAM policies and native database user controls. With the exception of Cloud SQL Client, IAM policies apply to all Cloud SQL operations within a given project, and are largely focused on administrative tasks on the instances themselves. Database users offer a more fine-grained level of control over database access, such as which tables a client can read and modify.
IAM policies
Other than the primitive IAM roles that apply to all project resources (owner, editor, viewer), Cloud SQL supports four IAM roles:
- roles/cloudsql.admin: Full control, except the ability to connect as a client
- roles/cloudsql.editor: Ability to perform operational tasks on an instance
- roles/cloudsql.viewer: Read-only access to all resources
- roles/cloudsql.client: Ability to connect to an instance via the Cloud SQL Proxy
Database users
Cloud SQL offers a simple managed interface for controlling database users in a given Cloud SQL instance....
