This page describes how users and service accounts can log in to Cloud SQL databases using Cloud SQL IAM database authentication. For more information, see Cloud SQL IAM database authentication.
Before you begin
- Configure an instance to use IAM database authentication. For more information, see Configure new instances for IAM database authentication.
- Add an IAM user or service account to the database. For more information, see Add an IAM user or service account to the database.
- Add the
roles/cloudsql.instanceUserIAM role on your user account to perform this task. It is a predefined role that contains the necessary Cloud SQL IAM permission
cloudsql.instances.login. You need this permission to log in to a database instance.
Log in with manual IAM database authentication
A user or an application can authenticate to the database using IAM by manually requesting an access token from Google Cloud and presenting it to the database. Using the gcloud, you can explicitly request an OAuth 2.0 token with the Cloud SQL Admin API scope that is used to log in to the database. When you log in as a database user with manual IAM database authentication, you use your email address as the username and the access token as the password. You can use this method with either a direct connection to the database or with a Cloud SQL connector.
In this procedure, you authenticate to Google Cloud, request an access token, and then connect to the database by passing in the token as the password for the IAM database user. Use these steps to connect without the Cloud SQL Auth proxy.
For these steps, you must:
- Use the
- Connect using SSL. See Connect to your Cloud SQL instance using SSL for more information about creating and downloading SSL certificate files.
Run the commands within the VPC for private IP.
To use the gcloud to generate this token and log in:
Authenticate to Google Cloud.
Request the access token and log in with a client.
Replace the following:
- HOSTNAME: The IP address of the instance.
- USERNAME: For an IAM user account, this is the
user's email address, without the
@or domain name. For example, for
test-user. For a service account, this is the service account's email address without the
MYSQL_PWD=`gcloud sql generate-login-token` mysql --enable-cleartext-plugin
- Learn more about IAM database authentication.
- Learn how to enable and view login information in audit logs.
- Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
- Learn how to add an IAM policy binding to a user or service account.
- Learn how to manage users and service accounts for IAM database authentication.