Service account with fine grained permissions for managing PostgreSQL databases

Question

I need to create a service account for managing (create, update, delete) PostgreSQl database instances in Cloud SQL. I was thinking to use "roles/cloudsql.editor" role, but it does not have permission for deleting databases. Must I use the editor primitive role for deletion? If so, can I somehow limit it to have permissions to delete Cloud SQL instances only?

As a second option, should I maybe create a custom role based on the "roles/cloudsql.editor" and extend it with some deletion permission for Cloud SQL instances?

Best Regards,

Jovan

score 0 · Accepted Answer · answered Jun 16 '20 at 14:56

You may create a custom role and apply the IAM permissions you require. Thereafter, you can grant this custom role to your service account. In your senario, I assume you need the following permissions:

cloudsql.databases.create
cloudsql.databases.delete
cloudsql.databases.update

Service account with fine grained permissions for managing PostgreSQL databases

1 Answers1