Connecting a MySQL client from Compute Engine

This page describes how to use the mysql client, installed on a Compute Engine instance, to connect to Cloud SQL.

You can use private IP, public IP, the Cloud SQL Auth proxy, or the Cloud SQL Auth proxy Docker image.

Before you begin

Before you can connect to your Cloud SQL instance, you must have a default database user (root) on the instance.

This task does not include instructions for setting up your Compute Engine instance. If you need help with creating and configuring a Compute Engine instance, see the Compute Engine documentation.

Private IP

To connect to Cloud SQL from a Compute Engine instance using private IP, private services access must be set up for your environment and your Cloud SQL instance must be configured to use private IP. Your Compute Engine instance must be in the same region as your Cloud SQL instance, and on the network configured for a private connection. >Learn more.

1. Configure your instance to use private IP

Use the instructions in Configuring Private IP Connectivity.

2. Open a terminal connection to your Compute Engine instance.

Use the appropriate instructions, depending on the instance's operating system:

If your Compute Engine instance is running either an RHEL or a CentOS public image, SELinux might block the proxy connection. If this happens, you must configure the SELinux feature to allow the connection.

For more information about SELinux for RHEL, see the RHEL documentation. For more information about SELinux for CentOS, see the CentOS documentation.

3. Install the mysql client on the Compute Engine instance, if it is not already installed.

Debian/Ubuntu

Install the MySQL client from the package manager:

sudo apt-get update
sudo apt-get install mariadb-server-10.3

CentOS/RHEL

Install the MySQL client from the package manager:

sudo yum install mysql

openSUSE

Install the MySQL client from the package manager:

sudo zypper install mysql-server

Other platforms

  1. Download the MySQL Community Server for your platform from the MySQL Community Server download page.
    The Community Server includes the MySQL client.
  2. Install the Community Server, following the directions on the download page.

For more information about installing MySQL, see the MySQL Reference Manual Installing and Upgrading MySQL.

4. Connect with the mysql client.

mysql --host=[CLOUD_SQL_PRIVATE_IP_ADDR] --user=root --password

Public IP

To connect using public IP:


For step-by-step guidance on this task directly in Cloud Shell Editor, click Guide me:

Guide me


The following sections take you through the same steps as clicking Guide me.

1. Add a static IPv4 IP address to the Compute Engine instance, if it does not already have one.

You cannot connect to Compute Engine using IPv6. For information about adding a static IP address, see Reserving a new static external IP address in the Compute Engine documentation.

2. Authorize the static IP address of the Compute Engine instance as a network that can connect to your Cloud SQL instance.

For more information, see Configuring access for public IP connections.

3. Open a terminal connection to your Compute Engine instance.

Use the appropriate instructions, depending on the instance's operating system:

If your Compute Engine instance is running either an RHEL or a CentOS public image, SELinux might block the proxy connection. If this happens, you must configure the SELinux feature to allow the connection.

For more information about SELinux for RHEL, see the RHEL documentation. For more information about SELinux for CentOS, see the CentOS documentation.

4. Install the mysql client on the Compute Engine instance, if it is not already installed.

Debian/Ubuntu

Install the MySQL client from the package manager:

sudo apt-get update
sudo apt-get install mariadb-server-10.3

CentOS/RHEL

Install the MySQL client from the package manager:

sudo yum install mysql

openSUSE

Install the MySQL client from the package manager:

sudo zypper install mysql-server

Other platforms

  1. Download the MySQL Community Server for your platform from the MySQL Community Server download page.
    The Community Server includes the MySQL client.
  2. Install the Community Server, following the directions on the download page.

For more information about installing MySQL, see the MySQL Reference Manual Installing and Upgrading MySQL.

5. Connect with the mysql client.

mysql --host=[CLOUD_SQL_PUBLIC_IP_ADDR] --user=root --password
Run the following gcloud command to find the CLOUD_SQL_PUBLIC_IP_ADDR:

gcloud sql instances list

For an example of how to connect using SSL, see Connecting with SSL.

6. The mysql prompt appears.

7. If you need to keep unused connections alive:

Set the TCP keepalive.

For more information, see Communicating between your instances and the Internet in the Compute Engine documentation.

Connections are kept alive automatically for instances.

Cloud SQL Auth proxy

To connect using the Cloud SQL Auth proxy from Compute Engine:

1. Enable the Cloud SQL Admin API.

Enable the API

2. Create a service account.

  1. Go to the Service accounts page of the Google Cloud Console.

    Go to the Service accounts page

  2. Select the project that contains your Cloud SQL instance.
  3. Click Create service account.
  4. In the Create service account dialog, enter a descriptive name for the service account.
  5. Change the Service account ID to a unique, recognizable value and then click Create.
  6. For Role, select one of the following roles, click Continue, and then click Done:
    • Cloud SQL > Cloud SQL Client
    • Cloud SQL > Cloud SQL Editor
    • Cloud SQL > Cloud SQL Admin
  7. Click the action menu for your new service account and then select Manage keys.
  8. Click the Add key drop-down menu and then click Create new key.
  9. Confirm that the key type is JSON and then click Create.

    The private key file is downloaded to your machine. You can move it to another location. Keep the key file secure.

If the Compute Engine instance is in a different project than the Cloud SQL instance, ensure that its service account has the proper permissions in the project that contains the Cloud SQL instance:

  1. Go to the Compute Engine instances listing in the Google Cloud Console.

    Go to the Compute Engine instances listing

  2. If needed, select the project associated with the Compute Engine instance.
  3. Select the Compute Engine instance to display its properties.
  4. In the Compute Engine instance properties, copy the name of the service account.
  5. Go to the IAM & Admin Projects page in the Google Cloud Console.

    Go to the IAM & Admin Projects page

  6. Select the project that contains the Cloud SQL instance.
  7. Search for the service account name.
  8. If the service account is already there, and it has a role that includes the cloudsql.instances.connect permission, you can proceed to step 4.

    The Cloud SQL Client, Cloud SQL Editor and Cloud SQL Admin roles all provide the necessary permission, as do the legacy Editor and Owner project roles.

  9. Otherwise, add the service account by clicking Add.
  10. In the Add members dialog, provide the name of the service account and select a role that include the cloudsql.instances.connect permission (any Cloud SQL predefined role other than Viewer will work).

    Alternatively, you can use the basic Editor role by selecting Project > Editor, but the Editor role includes permissions across Google Cloud.

    If you do not see these roles, your Google Cloud user might not have the resourcemanager.projects.setIamPolicy permission. You can check your permissions by going to the IAM page in the Google Cloud Console and searching for your user id.

  11. Click Add.

    You now see the service account listed with the specified role.

3. Open a terminal connection to your Compute Engine instance.

Use the appropriate instructions, depending on the instance's operating system:

If your Compute Engine instance is running either an RHEL or a CentOS public image, SELinux might block the proxy connection. If this happens, you must configure the SELinux feature to allow the connection.

For more information about SELinux for RHEL, see the RHEL documentation. For more information about SELinux for CentOS, see the CentOS documentation.

4. Install the mysql client on the Compute Engine instance, if it is not already installed.

Debian/Ubuntu

Install the MySQL client from the package manager:

sudo apt-get update
sudo apt-get install mariadb-server-10.3

CentOS/RHEL

Install the MySQL client from the package manager:

sudo yum install mysql

openSUSE

Install the MySQL client from the package manager:

sudo zypper install mysql-server

Other platforms

  1. Download the MySQL Community Server for your platform from the MySQL Community Server download page.
    The Community Server includes the MySQL client.
  2. Install the Community Server, following the directions on the download page.

For more information about installing MySQL, see the MySQL Reference Manual Installing and Upgrading MySQL.

5. Install the Cloud SQL Auth proxy on the Compute Engine instance.

Linux 64-bit

  1. Download the Cloud SQL Auth proxy:
    wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
    
  2. Make the Cloud SQL Auth proxy executable:
    chmod +x cloud_sql_proxy
    

Linux 32-bit

  1. Download the Cloud SQL Auth proxy:
    wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.386 -O cloud_sql_proxy
    
  2. Make the Cloud SQL Auth proxy executable:
    chmod +x cloud_sql_proxy
    

Windows 64-bit

Right-click https://dl.google.com/cloudsql/cloud_sql_proxy_x64.exe and select Save Link As to download the Cloud SQL Auth proxy. Rename the file to cloud_sql_proxy.exe.

Windows 32-bit

Right-click https://dl.google.com/cloudsql/cloud_sql_proxy_x86.exe and select Save Link As to download the Cloud SQL Auth proxy. Rename the file to cloud_sql_proxy.exe.

Cloud SQL Auth proxy Docker image

For convenience, the Cloud SQL team maintains several container images that contain the Cloud SQL Auth proxy for use by our customers. For more information about these images, see the Cloud SQL Auth proxy repo on GitHub. You can pull the latest image to your local machine using Docker with the following command:
docker pull gcr.io/cloudsql-docker/gce-proxy:1.21.0

Other OS

For other operating systems not included here, you can compile the Cloud SQL Auth proxy from source.

6. Start the Cloud SQL Auth proxy.

Depending on your language and environment, you can start the Cloud SQL Auth proxy using TCP sockets, Unix sockets, or the Cloud SQL Auth proxy Docker image. The Cloud SQL Auth proxy binary connects to one or more Cloud SQL instances specified on the command line, and opens a local connection as either TCP or a Unix socket. Other applications and services, such as your application code or database management client tools, can connect to Cloud SQL instances through those TCP or Unix socket connections.

TCP sockets

For TCP connections, the Cloud SQL Auth proxy listens on localhost(127.0.0.1) by default. So when you specify tcp:PORT_NUMBER for an instance, the local connection is at 127.0.0.1:PORT_NUMBER.

Alternatively, you can specify a different address for the local connection. For example, here's how to make the Cloud SQL Auth proxy listen at 0.0.0.0:1234 for the local connection:

  ./cloud_sql_proxy -instances=INSTANCE_CONNECTION_NAME=tcp:0.0.0.0:1234
  1. Copy your INSTANCE_CONNECTION_NAME. This can be found on the Overview page for your instance in the Google Cloud Console. or by running the following command:

    gcloud sql instances describe INSTANCE_NAME
    .

    For example: myproject:myregion:myinstance.

  2. If the instance has both public and private IP configured, and you want the Cloud SQL Auth proxy to use the private IP address, you must provide the following option when you start the Cloud SQL Auth proxy:
    -ip_address_types=PRIVATE
  3. If you are using a service account to authenticate the Cloud SQL Auth proxy, note the location on your client machine of the private key file that was created when you created the service account.
  4. Start the Cloud SQL Auth proxy.

    Some possible Cloud SQL Auth proxy invocation strings:

    • Using Cloud SDK authentication:
      ./cloud_sql_proxy -instances=INSTANCE_CONNECTION_NAME=tcp:3306
      
      The specified port must not already be in use, for example, by a local database server.
    • Using a service account and explicitly including the name of the instance connection (recommended for production environments):
      ./cloud_sql_proxy -instances=INSTANCE_CONNECTION_NAM=tcp:3306 \
                        -credential_file=PATH_TO_KEY_FILE &
      

    For more information about Cloud SQL Auth proxy options, see Options for authenticating the Cloud SQL Auth proxy and Options for specifying instances.

Unix sockets

The Cloud SQL Auth proxy can listen on a Unix socket, which is a Posix standard mechanism for using a folder to manage communication between two processes running on the same host. Advantages to using Unix sockets are improved security and lower latency, however, you cannot access a Unix socket from an external machine.

To create and use a Unix socket, the target directory must exist and both the Cloud SQL Auth proxy and application must have read and write access to it.

  1. If you are using explicit instance specification, copy your INSTANCE_CONNECTION_NAME. This can be found on the Overview page for your instance in the Google Cloud Console. or by running the following command:

    gcloud sql instances describe INSTANCE_NAME
    .

    For example: myproject:myregion:myinstance.

  2. Create the directory where the Cloud SQL Auth proxy sockets will live:
    sudo mkdir /cloudsql; sudo chmod 777 /cloudsql
  3. If you are using a service account to authenticate the Cloud SQL Auth proxy, note the location on your client machine of the private key file that was created when you created the service account.
  4. Open a new terminal window and start the Cloud SQL Auth proxy.

    Some possible Cloud SQL Auth proxy invocation strings:

    • Using a service account and explicitly including the name of the instance connection (recommended for production environments):
      ./cloud_sql_proxy -dir=/cloudsql -instances=INSTANCE_CONNECTION_NAME
      -credential_file=PATH_TO_KEY_FILE &
    • Using Cloud SDK authentication and automatic instance discovery:
      ./cloud_sql_proxy -dir=/cloudsql &

    It is best to start the Cloud SQL Auth proxy in its own terminal so you can monitor its output without it mixing with the output from other programs.

    For more information about Cloud SQL Auth proxy options, see Options for authenticating the Cloud SQL Auth proxy and Options for specifying instances.

Cloud SQL Auth proxy Docker image

To run the Cloud SQL Auth proxy in a Docker container, use the Cloud SQL Auth proxy Docker image available from the Google Container Registry.

You can start the Cloud SQL Auth proxy using either TCP sockets or Unix sockets, with the commands shown below. The options use an INSTANCE_CONNECTION_NAME as the connection string to identify a Cloud SQL instance. You can find the INSTANCE_CONNECTION_NAME on the Overview page for your instance in the Google Cloud Console. or by running the following command:

gcloud sql instances describe INSTANCE_NAME
.

For example: myproject:myregion:myinstance.

Depending on your language and environment, you can start the Cloud SQL Auth proxy using either TCP sockets or Unix sockets. Unix sockets are not supported for applications written in the Java programming language or for the Windows environment.

Using TCP sockets

docker run -d \\
  -v PATH_TO_KEY_FILE:/config \\
  -p 127.0.0.1:3306:3306 \\
  gcr.io/cloudsql-docker/gce-proxy:1.21.0 /cloud_sql_proxy \\
  -instances=INSTANCE_CONNECTION_NAME=tcp:0.0.0.0:3306 -credential_file=/config

If you are using the credentials provided by your Compute Engine instance, do not include the credential_file parameter and the -v PATH_TO_KEY_FILE:/config line.

Always specify 127.0.0.1 prefix in -p so that the Cloud SQL Auth proxy is not exposed outside the local host. The "0.0.0.0" in the instances parameter is required to make the port accessible from outside of the Docker container.

Using Unix sockets

docker run -d -v /cloudsql:/cloudsql \\
  -v PATH_TO_KEY_FILE:/config \\
  gcr.io/cloudsql-docker/gce-proxy:1.21.0 /cloud_sql_proxy -dir=/cloudsql \\
  -instances=INSTANCE_CONNECTION_NAME -credential_file=/config

If you are using the credentials provided by your Compute Engine instance, do not include the credential_file parameter and the -v PATH_TO_KEY_FILE:/config line.

If you are using a container optimized image, use a writeable directory in place of /cloudsql, for example:

-v /mnt/stateful_partition/cloudsql:/cloudsql

You can specify more than one instance, separated by commas. You can also use Compute Engine metadata to dynamically determine the instances to connect to. Learn more about the Cloud SQL Auth proxy parameters.

7. Start the mysql session.

The connection string you use depends on whether you started the Cloud SQL Auth proxy using a TCP socket or a UNIX socket or Docker.

TCP sockets

  1. Start the mysql client:
    mysql -u USERNAME -p --host 127.0.0.1
    

    When you connect using TCP sockets, the Cloud SQL Auth proxy is accessed through 127.0.0.1.

  2. If prompted, enter the password.
  3. The mysql prompt appears.

Using Unix sockets

  1. Start the mysql client:
    mysql -u USERNAME -p -S /cloudsql/INSTANCE_CONNECTION_NAME
    
  2. Enter the password.
  3. The mysql prompt appears.

Need help? For help troubleshooting the proxy, see Troubleshooting Cloud SQL Auth proxy connections. Or, see our Cloud SQL Support page.

What's next