Configure new and existing instances for IAM database authentication

MySQL | PostgreSQL | SQL Server

This page has procedures for creating or editing Cloud SQL instances to allow users or service accounts that are configured to use Cloud SQL IAM database authentication. To learn more about the Cloud SQL IAM integration, see the Overview of Cloud SQL IAM database authentication.

A newly-created instance has four system databases:

information_schema: Provides access to database metadata, information about the MySQL server.
mysql: The system schema. It contains tables that store information required by the MySQL server as it runs.
performance_schema: A feature for monitoring MySQL Server execution at a low level.
sys: Contains a set of objects that helps DBAs and developers interpret data collected by the performance schema.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Make sure you have the Cloud SQL Admin and Compute Viewer roles on your user account.
Go to the IAM page

Learn more about roles and permissions.

Configure new instances for IAM database authentication

Cloud SQL uses a flag to enable and disable IAM user connections on an instance. In this procedure, you enable that flag.

To configure a new instance that uses Cloud SQL IAM database authentication:

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click Create Instance.
Click Choose MySQL.
Enter a name for the Instance ID. Don't include sensitive or personally identifiable information in your instance name; it's externally visible. You don't need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files).
Enter a password for the root user.
From the Database version drop-down menu, select a database version.
In the Choose region and zonal availability section, select the region and zone for your instance. Place your instance in the same region as the resources that access it. The region you select can't be modified in the future. Usually, you don't need to specify a zone.
Note: If there's a resource location constraint on your organization policy, then you must select one of the regions that the organization policy allows. If a constraint exists, then a message appears about the constraint. Learn more.
In the Customize your instance section, click Show Configuration Options, and then expand Flags.
Click Add Flag.
From the Choose a flag drop-down menu, select the cloudsql_iam_authentication flag. Make sure that On is selected as the value for this flag, and then click Done.
Configure other instance settings, as needed. For more information about settings, see Settings.
Click Create Instance.

gcloud

Run gcloud sql instances create with the -database-flags parameter set to cloudsql_iam_authentication=on.

Replace the following:

INSTANCE_NAME: The name of the new instance.
MYSQL_VERSION: The MySQL version (such as MYSQL_5_7 or MYSQL_8_0).
Note: This feature does not support MYSQL_5_6.
NUMBER_OF_CORES: The number of cores in the machine.
AMOUNT_OF_MEMORY: The amount of memory in the machine. A size unit should be provided (such as, 3072MiB or 9GiB).
ZONE: Preferred Compute Engine zone (such as us-central1-a, or us-central1-b).
PASSWORD: Create a password for the root user.

gcloud sql instances create INSTANCE_NAME \
--database-version=MYSQL_VERSION \
--cpu=NUMBER_OF_CORES \
--memory=AMOUNT_OF_MEMORY \
--zone=ZONE_NAME \
--root-password=PASSWORD \
--database-flags=cloudsql_iam_authentication=on

REST v1beta4

Do not include sensitive or personally identifiable information in your instance name; it is externally visible.

You do not need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files).

Before using any of the request data, make the following replacements:

instance-id: The desired instance ID
region: The desired region, such as us-east-1
project-id: Your project ID
location-id: The location ID
database-version: Enum string of the database version. For example: MYSQL_8_0
password: The password for the root user
machine-type: Enum string of the machine (tier) type, as: db-custom-[CPUS]-[MEMORY_MBS]

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

Request JSON body:

{
  "name": "instance-id",
  "region": "region",
  "databaseVersion": "database-version",
  "rootPassword": "password",
  "settings": {
    "tier": "machine-type",
    "backupConfiguration": {
      "enabled": true
    },
    "databaseFlags": [
      {
        "name": "cloudsql_iam_authentication",
        "value": "on"
      }
    ]
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login, or by using Cloud Shell, which automatically logs you into the gcloud CLI. You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-01T19:13:21.834Z",
  "operationType": "CREATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

To see how the underlying REST API request is constructed for this task, see the APIs Explorer on the instances:insert page.

Configure existing instances for Cloud SQL IAM database authentication

To configure IAM database authentication on an existing instance:

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Click Edit.
In the Customize your instance section, expand Flags.
Click Add Flag.
From the Choose a flag drop-down menu, select the cloudsql_iam_authentication flag. Make sure that On is selected as the value for this flag, and then click Done.
Configure other instance settings, as needed. For more information about settings, see Settings.
Click Save.

gcloud

For information about installing and getting started with the gcloud CLI, see Install the gcloud CLI. For information about starting Cloud Shell, see Use Cloud Shell.

For this procedure, use gcloud sql instances patch.

Replace the following:

INSTANCE_NAME: The name of the new instance.

gcloud sql instances patch INSTANCE_NAME \
--database-flags=cloudsql_iam_authentication=on

This resets all other existing database flag settings. For further guidance on setting database flags, see Set a database flag.

REST v1beta4

Before using any of the request data, make the following replacements:

project-id: Your project ID
location-id: The location ID
instance-id: The desired instance ID
region: The desired region
database-version: Enum string of the database version. For example: MYSQL_8_0
password: The password for the root user
machine-type: Enum string of the machine (tier) type, as: db-custom-[CPUS]-[MEMORY_MBS]

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

Request JSON body:

{
  "name": "instance-id",
  "region": "region",
  "databaseVersion": "database-version",
  "rootPassword": "password",
  "settings": {
    "tier": "machine-type",
    "backupConfiguration": {
      "enabled": true
    }
    "databaseFlags":
    [
      {
        "name": "cloudsql_iam_authentication",
        "value": "on"
      }
    ]
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-01T19:13:21.834Z",
  "operationType": "CREATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

What's next

Learn more about IAM database authentication.
Learn how to configure read replica logins for IAM database authentication.
Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
Learn how to add an IAM policy binding to a user or service account.
Learn how to log in to a Cloud SQL database using IAM database authentication.
Learn how to manage users and service accounts for IAM database authentication.