I want to have a cloud spanner instance used for a multitenant application, and what I'm looking for is restricting a service account to access only a database on cloud spanner. As per docs, there are primitive roles defined so that we can restrict access to instances with IAM conditions, but I can't find a way to restrict to databases inside an instance.
I'm looking for GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'localhost'; on cloud spanner.
You can apply the permission directly at the database level. Select, your instance, in it, your database(s), go to the info panel and add the permission that you want to the account (user account or service account).
It's important to do it at the resource level (the database) because if you do it in the IAM page, you are at the project level and you grant the access to all Spanner database.