This page describes how to set up a connection from an application running in Google Container Engine to a Cloud SQL instance, using the Cloud SQL Proxy Docker image.
To access a Google Cloud SQL instance from an application running in Google Container Engine, you use the Cloud SQL Proxy Docker image. For more information about the Cloud SQL Proxy, see About the Cloud SQL Proxy.
Before you begin
Before you start this procedure, you must have:
A Container Engine cluster running version 1.2 or higher, with the
kubectlcommand-line tool installed and configured to communicate with the cluster.
For help getting started with Container Engine, see the Quickstart.
An application container in a pod on the Container Engine cluster.
The Cloud SQL Proxy is added to your pod using the "sidecar" pod pattern.
A Second Generation instance created.
For help creating a Cloud SQL instance, see Creating Instances.
1. Enable the API
2. Create a service account
The proxy requires a service account with the proper privileges for your Cloud SQL instance. For more information about service accounts, see the Google Cloud Platform Auth Guide.
- Go to the Cloud SQL Service accounts page of the Google Cloud Platform Console.
- If needed, select the project that contains your Cloud SQL instance.
- Click Create service account.
- In the Create service account dialog, provide a descriptive name for the service account.
For Role, select Cloud SQL > Cloud SQL Client.
Alternatively, you can use the primitive Editor role by selecting Project > Editor, but the Editor role includes permissions across Google Cloud Platform.
If you do not see these roles, your Google Cloud Platform user might not have the
resourcemanager.projects.setIamPolicypermission. You can check your permissions by going to the IAM page in the Google Cloud Platform Console and searching for your user id.
- Change the Service account ID to a unique value that you will recognize so you can easily find this service account later if needed.
- Click Furnish a new private key.
The default key type is
JSON, which is the correct value to use.
The private key file is downloaded to your machine. You can move it to another location. Keep the key file secure.
You will provide the location of this key file later in this
3. Create the proxy user
Use the gcloud command below to create the user account named
the proxy will use to access your Cloud SQL instance, filling in the
instance name and the password.
gcloud sql users create proxyuser cloudsqlproxy~% --instance=[INSTANCE_NAME] --password=[PASSWORD]
For help with creating a user account, see Creating a user.
4. Get your instance connection name
The instance connection name identifies your instance on Google Cloud Platform. You can
get it from the Google Cloud Platform Console, or by using the
gcloud command-line tool:
gcloud sql instances describe [INSTANCE_NAME]
For example, for the instance
myinstance1 in project
gcloud output would be:
You will provide this value later as
5. Create your Secrets
You need two Secrets to enable your Container Engine application to access the data in your Cloud SQL instance:
cloudsql-instance-credentialsSecret contains the service account.
cloudsql-db-credentialsSecret provides the proxy user account and password.
To create these Secrets:
Create the Secret containing the Service Account which enables authentication to Cloud SQL:
kubectl create secret generic cloudsql-instance-credentials \ --from-file=credentials.json=[PROXY_KEY_FILE_PATH]
Create the Secret needed for database access, using the name and password for the proxy user you created earlier:
kubectl create secret generic cloudsql-db-credentials \ --from-literal=username=proxyuser --from-literal=password=[PASSWORD]
6. Update your pod configuration file
Your pod configuration file needs to include the host address of the database, the Secrets, and the location of your Cloud SQL instance.
The exact variable names needed depend on the application container you are using. For a complete sample deployment, including sample code, see sample Kubernetes Deployment manifest file on GitHub.
127.0.0.1:3306as the host address your application uses to access the database.
Because the proxy runs in a second container in the same pod, it appears to your application as
localhost, so you use
127.0.0.1:3306to connect to it.
cloudsql-db-credentialsSecret to enable the application to log in to the database.
For example, the following configuration provides the
DB_PASSWORDenvironment variables to your application using the
env: - name: DB_USER valueFrom: secretKeyRef: name: cloudsql-db-credentials key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: cloudsql-db-credentials key: password
In your Kubernetes Deployment file, define an additional container in the Pod definition to run the proxy container. This container exposes port 3306 and uses the instance connection name you recorded earlier.
- name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "--dir=/cloudsql", "-instances=<INSTANCE_CONNECTION_NAME>=tcp:3306", "-credential_file=/secrets/cloudsql/credentials.json"] volumeMounts: - name: cloudsql-instance-credentials mountPath: /secrets/cloudsql readOnly: true - name: ssl-certs mountPath: /etc/ssl/certs - name: cloudsql mountPath: /cloudsql
Define your volumes:
volumes: - name: cloudsql-instance-credentials secret: secretName: cloudsql-instance-credentials - name: cloudsql emptyDir: - name: ssl-certs hostPath: path: /etc/ssl/certs
Bring up your Deployment using the Kubernetes manifest file:
kubectl apply -f deployment.yaml
7. Update your application to connect to Cloud SQL
When you have your Google Container Engine environment set up, you connect to Cloud SQL the same way as any other external application that is using the proxy. The exact connection string you use depends on what language and framework you are using.
For some example connection strings, see Language-specific information and examples.