diff --git a/docs/upgrading_to_sql_db_23.0.md b/docs/upgrading_to_sql_db_23.0.md
new file mode 100644
index 00000000..0ac27837
--- /dev/null
+++ b/docs/upgrading_to_sql_db_23.0.md
@@ -0,0 +1,7 @@
+# Upgrading to SQL DB 23.0
+
+The 23.0 release of SQL DB is a backward incompatible release.
+
+# Cloud SQL Service Account role update
+
+Changed `storage.objectCreator` role to `storage.objectAdmin` for Cloud SQL Service Account on the bucket used for exporting the database, due to GCP internal changes in the export process.
diff --git a/modules/backup/main.tf b/modules/backup/main.tf
index a682bcfb..d590738d 100644
--- a/modules/backup/main.tf
+++ b/modules/backup/main.tf
@@ -196,7 +196,7 @@ resource "google_storage_bucket_iam_member" "sql_instance_account" {
   count  = var.enable_export_backup ? 1 : 0
   bucket = split("/", var.export_uri)[2] #Get the name of the bucket out of the URI
   member = "serviceAccount:${data.google_sql_database_instance.backup_instance.service_account_email_address}"
-  role   = "roles/storage.objectCreator"
+  role   = "roles/storage.objectAdmin"
 }
 
 # We want to get notified if there hasn't been at least one successful backup in a day