There are 2 ways to connect to a Cloud SQL database: directly, or via a connector. 2 types of connectors are supported: standalone (Cloud SQL Auth Proxy), and in-process (Cloud SQL Language Connector, available for Java, Python, Go, and Node.js).
There are also 2 ways to authenticate to a database:
- The PostgreSQL's built-in authentication (password).
- IAM database authentication. In this case you need an IAM service account and a matching PostgreSQL user.
But before you can do that, you need to give yourself access to the database (authorize the connection):
-
If you're connecting directly, you need to add the client's IP to
authorized networks
. In this case you also most likely want to make use of SSL/TLS. -
If you're connecting via a connector, you need to provide it with a service account that has the
cloudsql.instances.connect
permission. One way to do that is to grant the Cloud SQL Client role (roles/cloudsql.client
) to the service account. In this case you don't need to bother with SSL/TLS, the connector handles this for you (encrypts the connection). Additionally, if you're using a standalone connector (Cloud SQL Auth Proxy), the connection between it and a client is not encrypted, as such you most likely want to keep the connector on the same machine.
To use IAM database authentication you need to:
- enable it on the instance
- give the service account the
cloudsql.instances.login
permission, e.g. by granting the Cloud SQL Instance User role (roles/cloudsql.instanceUser
) to it - start the proxy with the
--auto-iam-authn
flag (if you use Cloud SQL Auth Proxy)
To use SSL/TLS you need a server certificate (which is created automatically when you create an instance) and client certificates. You're notified when a server certificate expires, but not when a client certificate does. When connecting directly using SSL/TLS is strongly recommended. When using a connector configuring SSL/TLS is not needed.
$ gcloud logging read "resource.type=cloudsql_database" --project=PROJECT_ID --limit=10
Examples of filter expressions:
resource.type=cloudsql_database
logName=projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
resource.type=cloudsql_database AND logName=projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
resource.type=cloudsql_database AND projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
Other useful arguments: --freshness
(defaults to 1d
), --order
(defaults to desc
).
Additionally:
- When you create a Cloud SQL instance the
postgres
user is created with no password. You need to set the password to be able to authenticate. - You can't have superusers on Cloud SQL.
- Users created with
gcloud
initially have the same permissions aspostgres
. authorized networks
can contain both IP addresses and IP ranges.- How the proxy works is described here.
- Automatic instance discovery is not recommended in production.
- Where the proxy looks for credentials is described here.
- It seems like PostgreSQL connections used to hang w/o
sslmode=disable
, which doesn't seem to be an issue these days. - Using the Cloud SQL Auth Proxy's
--port
flag reduces startup time.
IAM database authentication + Cloud SQL Auth Proxy (ruby)
IAM database authentication + Cloud SQL Auth Proxy
built-in authentication + SSL/TLS
How to:
- enable public IP
- change authorized networks
- reset authorized networks
- disable public IP
- list db users
- create a user
- change a password
- remove a user
- set
cloudsql.iam_authentication
- create a service account
- create a matching db user
- remove the matching db user
- start the proxy under
docker
- start the proxy with IAM database authentication
- enforce using the proxy
- get information about the server certificate
- create a client certificate
- get the public key of a client certificate
- delete a client certificate
- reset the SSL/TLS configuration
- enforce using SSL/TLS
- view IAM policy of a project
- grant a role to a principal
- revoke a role from a principal
The docs:
- Cloud SQL IAM database authentication (2 ways to authenticate, automatic and manual IAM database authentication, what's needed: the permission, the role, an IAM principal, a database user, the instance flag)
- Configure new and existing instances for IAM database authentication (how to add the cloudsql.iam_authentication flag)
- About PostgreSQL users and roles (differences between database users and roles, superuser restrictions, default PostgreSQL users, IAM database authentication, creating users)
- Cloud SQL built-in database authentication (2 ways to authenticate)
- Create and manage users (how to change a password, create/remove a user, list users)
- Manage users with IAM authentication (troubleshooting login failures, how to create a matching database user, remove a database user)
- Log in using IAM database authentication (how to start the proxy)
- About access control (levels of access control)
- IAM for Cloud SQL (roles, permissions and conditions)
- Roles and permissions (overview of IAM, what permissions are necessary, viewing and changing the project's policy, best practices)
- Use IAM Conditions (types of attributes, giving access to specific Cloud SQL instances)
- About connection options (ways to authenticate/get authorization, Cloud SQL Language Connectors, Cloud SQL Auth Proxy, self-managed SSL/TLS certificates, authorized networks)
- Configure public IP (troubleshooting, how to assign/deassign a public IP, changing authorized networks)
- Authorize with authorized networks (how to change authorized networks)
- Authorize with SSL/TLS certificates (enforcing SSL/TLS, what files are needed, server certificates, rotation, authorized networks, expiry)
- Configure SSL/TLS certificates (how to enforce SSL/TLS, create/get a server/client certificate)
- Manage SSL/TLS certificates (how to get/delete a client certificate, rotate a server certificate, describe a server certificate, reset SSL/TLS configuration)
- About the Cloud SQL Auth Proxy (benefits of Cloud SQL Auth Proxy, how Cloud SQL Auth Proxy works, requirements, startup options, a service account, required permissions, instance discovery, production environment, enforcing the use of Cloud SQL Auth Proxy)
- Connect using the Cloud SQL Auth Proxy (what it does, where it looks for credentials, troubleshooting, how to download, start, connect with psql, create a service account, enforce the use of Cloud SQL Auth Proxy, multiple instances)
- Connect using a psql client (how to change authorized networks, connect w/ and w/o SSL/TLS)
- Cloud SQL permissions
- Cloud SQL roles (which permissions include which roles)
- Cloud SOL Auth Proxy README.md
Logging:
- Debug connection issues / Tools for debugging connectivity / Cloud Logging / View logs
- Troubleshoot / Logging
- View instance logs / View logs
- View instance logs / Troubleshoot
Troubleshooting:
- Troubleshoot (how to view the logs)
- Debug connection issues (connection issues checklist, how to view the logs)
- Manage users with IAM authentication / Troubleshoot a login failure
- Configure public IP / Troubleshoot
- Connect using the Cloud SQL Auth Proxy / Troubleshoot Cloud SQL Auth Proxy connections
- View instance logs (how to view the logs, troubleshooting)
- Cloud SQL for PostgreSQL error messages
- Known issues (sslmode=disabled, or else connections hang)
Quickstarts: