When considering any database solution, price and security tend to be major factors. For Cloud Spanner, security is largely provided through Google Cloud IAM. Cloud Spanner supports resource-specific IAM policies down to the database, meaning project administrators can control which services and users can read, write, or modify databases within a given instance. As stated earlier in this chapter, it is a common pattern to maintain a single Cloud Spanner instance for a given project, and simply control access at the database layer.
In addition to the three primitive IAM roles (owner, editor, viewer), Cloud Spanner supports five product-specific IAM roles:
- roles/spanner.admin: Full control over one or more instances
- roles/spanner.databaseAdmin: Full control over all databases within an instance
- roles/spanner.databaseReader: Read-only access and query executions
- roles/spanner.databaseUser: Full CRUD and DDL support for one or more databases
- roles...