Google Cloud Platform
Cloud SQL

Connecting to Google Cloud SQL from Google App Engine

You can grant individual App Engine applications access to a Cloud SQL instance. One application can be granted access to multiple instances, and multiple applications can be granted access to a particular instance. Connections between Cloud SQL and App Engine are encrypted by default.

There are some restrictions on access from App Engine applications to Cloud SQL:

  • Access from Google App Engine applications to Cloud SQL Second Generation instances can be granted only for Managed VMs.
  • There are limits on connections and other resources for App Engine applications. See the FAQ for more information.

For more information about Google App Engine, see the Google App Engine documentation.

The method for setting up a connection between an App Engine application and a Cloud SQL instance depends on the types of the App Engine environment and Cloud SQL instance:

App Engine Standard environment to a Cloud SQL First Generation instance

To grant access to an application running on App Engine Standard environment, you authorize the application's ID on the Cloud SQL instance. You can find the application ID on the Google Cloud Platform Console.

Console

  1. In the Google Cloud Platform Console, select a project.
  2. Find the instance to which you want to grant access and click the instance name.
  3. Select Access Control > Authorization.
  4. In the Authorized App Engine applications section, click add Bulk add. and enter the application ID.
  5. Save your change by clicking the edit icon Save or edit..
  6. Click the Save button to update the instance.

After you have added authorized applications to your Google Cloud SQL instance, you can view a list of these applications in the instance's Properties, in the section titled Authorized Applications.

gcloud

  1. Install the Cloud SQL command line if you haven't already (see Managing Instances Using the Cloud SDK).
  2. Use the sql instances patch command to modify an existing instance (YOUR_INSTANCE_NAME) and grant access to the App Engine application gae-app-name:
    $ gcloud sql instances patch YOUR_INSTANCE_NAME --authorized-gae-apps GAE_APP_NAME
    

cURL

  1. Obtain an OAuth2 access token that you can use in the following commands.

    For example, you can obtain a token by using the gauth command which is part of the Google Cloud SDK.

  2. List the existing authorized App Engine applications for the instance.

    For more information the resources of an instance you can access with the API, see instance resource definition.

    curl --header 'Authorization: Bearer accessToken' \
         --header 'Content-Type: application/json' \
         https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \
         -X GET
    
  3. Add a new App Engine application to the existing list of authorized applications.
    curl --header 'Authorization: Bearer accessToken' \
         --header 'Content-Type: application/json' \
         https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instance/your-instance-name \
         --data '{"settings" : {"authorizedGaeApplications" : ["existing-app-engine-app", "new-app-engine-app"] }}' \
         -X PATCH
    

For more information about connecting using your language, see the links in Language-specific information.

App Engine Managed VM environment to a Cloud SQL Second Generation instance

You can connect to Cloud SQL Second Generation instances from a Managed VM environment by using the Cloud SQL Proxy. You must make a change to the `app.yaml` file and a change to the connection string, and ensure that the service account for the Managed VM application has the appropriate permissions.

  1. If the Managed VM and the Cloud SQL instance are not in the same project, make sure that the service account associated with the Managed VM application has at least the role of 'editor' in the Cloud SQL instance's project.

    The service account for the Managed VM is usually 'app-name@appspot.gserviceaccount.com'. You can check permissions for or add a service account by following the instructions here: Adding a Project Member.

  2. Add the following key to your runtime configuration `app.yaml` file:
    beta_settings:
          cloud_sql_instances: <PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>[, ...]
    
  3. In your application code, connect with the following connection string:
    /cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>
    

For more information about connecting using your language, see the links in Language-specific information.

Language-specific information

The following links provide some language-specific information about connecting from an App Engine application to a Cloud SQL instance.

Java App Engine Applications

Python App Engine Applications

PHP App Engine Applications

Go App Engine Applications