This page describes how users and service accounts can log in to Cloud SQL databases using Cloud SQL IAM database authentication. For more information, see IAM authentication.
Before you begin
- Configure the instance to use IAM database authentication. For more information, see Configure new instances for IAM database authentication.
- Add an IAM user, service account, or group to the database. For more information, see Add an IAM user or service account to the database and Add a group to the database.
- Add the
roles/cloudsql.instanceUser
IAM role to your IAM user, service account, or group. It's a predefined role that contains the necessary Cloud SQL IAMcloudsql.instances.login
permission. You need this permission to login to a database instance with IAM database authentication. For more information, see Roles and permissions. When an IAM user is added to a database, the new database user has no privileges to any database by default. You need to use the
GRANT
command to give the IAM database user any required permissions. For more information, see Grant database privileges to the IAM User and Grant database privileges to a group.If you're using IAM group authentication, then the IAM user or service account must be a member of a group that has been granted an IAM role or permissions to log in to the Cloud SQL instance. Cloud SQL creates an account after the user or service account logs in to the instance for the first time.
Log in with automatic IAM database authentication
You can configure a Cloud SQL connector to automatically handle authentication to the Cloud SQL instance on behalf of a user or an application. Connectors include the Cloud SQL Auth Proxy, the Go connector, the Java connector, and the Python connector, all of which support automatic IAM database authentication. When using a Cloud SQL connector with automatic IAM database authentication, the IAM account that you use to start the connector must be the same account that authenticates to the database.
To log in using automatic IAM database authentication:
Cloud SQL Auth Proxy
Authenticate to Google Cloud.
User
Authenticate to Google Cloud using Application Default Credentials (ADC).
Use the
gcloud auth application-default login
command. For more information, see Set up Application Default Credentials.Service account
To authenticate to Google Cloud using ADC with a service account, you can use service account impersonation or set up a service account key. If you want to authenticate with service account impersonation, replace SERVICE_ACCOUNT_EMAIL_ADDRESS, and run the following command:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCOUNT_EMAIL_ADDRESS
For more information, see Set up Application Default Credentials.
Start the Cloud SQL Auth Proxy with the
--auto-iam-authn
flag Replace INSTANCE_CONNECTION_NAME with the connection string used to identify the Cloud SQL instance. If you are using a port other than the default MySQL port, then specify the port number. For more information on how to find and construct this string, see Options for authenticating the Cloud SQL Auth Proxy../cloud-sql-proxy --auto-iam-authn INSTANCE_CONNECTION_NAME
For more information on how to start the proxy, see Start the Cloud SQL Auth Proxy.
When you are ready to connect to the instance by using the Cloud SQL Auth Proxy, log in with the
mysql
client. Replace the following:- HOSTNAME: IP address used by the Cloud SQL Auth Proxy. By default,
the Cloud SQL Auth Proxy uses the localhost address of
127.0.0.1
, but you can assign a different IP address when you start the Cloud SQL Auth Proxy. - USERNAME: For an IAM user account,
this is the user's email address, without the
@
symbol or domain name. For example, fortest-user@example.com
, entertest-user
. For a service account, this is the service account's email address without the@project-id.iam.gserviceaccount.com
suffix. - PORT_NUMBER: Optional. If you specified a different port in the instance connection string, then specify that port number.
Run the following command:
mysql --host=HOSTNAME \ --user=USERNAME \ --port=PORT_NUMBER
For more information on how to connect to the Cloud SQL Auth Proxy, see Connect with the mysql client.
- HOSTNAME: IP address used by the Cloud SQL Auth Proxy. By default,
the Cloud SQL Auth Proxy uses the localhost address of
Go
Java JDBC
Java R2DBC
Python
Log in with manual IAM database authentication
A user or an application can authenticate to the database using IAM by manually requesting an access token from Google Cloud and presenting it to the database. Using the gcloud CLI, you can explicitly request an OAuth 2.0 token with the Cloud SQL Admin API scope that is used to log in to the database. When you log in as a database user with manual IAM database authentication, you use your email address as the username and the access token as the password. You can use this method with either a direct connection to the database or with a Cloud SQL connector.
In this procedure, you authenticate to Google Cloud, request an access token, and then connect to the database by passing in the token as the password for the IAM database user. Use these steps to connect without the Cloud SQL Auth Proxy.
For these steps, you must:
- Use the --enable-cleartext-plugin
mysql
option. - If you are connecting to an instance with public IP, authorize external access to the instance. For more information, see Authorize your machine's IP address for public IP.
- If you are connecting to an instance with private IP, run the command within the Virtual Private Cloud (VPC) network.
- Use the
gcloud sql generate-login-token
command to generate your authentication token.
To log in using manual IAM database authentication:
gcloud
Authenticate to Google Cloud.
User
Authenticate to IAM using
gcloud auth login
. For more information, see Authorize with a user account.Service account
Authenticate to IAM using
gcloud auth activate-service-account
. For more information, see Authorize with a service account.Request the access token, and log in with a client.
Replace the following:
- HOSTNAME: The IP address of the instance, either the public IP address or private IP address.
- USERNAME: For an IAM user account, this is the
user's email address, without the
@
symbol or domain name. For example, fortest-user@example.com
, entertest-user
. For a service account, this is the service account's email address without the@project-id.iam.gserviceaccount.com
suffix.
MYSQL_PWD=`gcloud sql generate-login-token` \ mysql --enable-cleartext-plugin \ --ssl-mode=REQUIRED \ --host=HOSTNAME \ --user=USERNAME
If
ssl_mode
on your Cloud SQL instance is configured toTRUSTED_CLIENT_CERTIFICATE_REQUIRED
, then include a client certificate and client key when you log in. In addition, to let the client verify the server's identity for mutual authentication, specify the server certificateserver-ca.pem
. For example:MYSQL_PWD=`gcloud sql generate-login-token` \ mysql --enable-cleartext-plugin \ --ssl-mode=VERIFY_CA \ --ssl-ca=server-ca.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem \ --host=HOSTNAME \ --user=USERNAME
For information on how to create a client certificate and key, see Client certificates.
What's next
- Learn more about IAM database authentication.
- Learn how to enable and view login information in audit logs.
- Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
- Learn how to add an IAM policy binding to a user or service account.
- Learn how to manage users and service accounts for IAM database authentication.