This page describes how users and service accounts can log in to Cloud SQL databases using Cloud SQL IAM database authentication. For more information, see Overview of Cloud SQL IAM database authentication.
Before you begin
- Configure an instance to use IAM database authentication. For more information, see Configuring new instances for IAM database authentication.
- Add an IAM user or service account to the database. For more information, see Adding an IAM user or service account to the database.
- Add the
roles/cloudsql.instanceUserIAM role on your user account to perform this task. It is a predefined role that contains the necessary Cloud SQL IAM permission
cloudsql.instances.login. You need this permission to log in to a database instance.
Logging in with manual IAM database authentication
A user or an application can authenticate to the database using IAM by manually requesting an access token from Google Cloud and presenting it to the database. Using the Cloud SDK, you can explicitly request an OAuth 2.0 token with the Cloud SQL API scope that is used to log in to the database. When you log in as a database user with manual IAM database authentication, you use your email address as the username and the access token as the password. You can use this method with either a direct connection to the database or with a Cloud SQL connector.
In these steps, you authenticate to Google Cloud, request an access token, and then connect to the database by passing in the token as the password for the IAM database user.
For these steps, you must:
- Use the
- Connect using SSL. See Connect to your Cloud SQL instance using SSL.
Run the commands within the VPC for private IP.
To use the Cloud SDK to generate this token and log in:
Authenticate to Google Cloud.
Request the access token and log in with a client.
Replace the following:
- HOSTNAME: The IP address of the instance.
- USERNAME: For an IAM user account, this is the
user's email address, without the
@or domain name. For example, for
test-user. For a service account, this is the service account's email address without the
MYSQL_PWD=`gcloud auth print-access-token` mysql --enable-cleartext-plugin
- Learn more about IAM database authentication.
- Learn how to enable and view login information in audit logs.
- Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
- Learn how to add an IAM policy binding to a user or service account.
- Learn how to manage users and service accounts for IAM database authentication.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2021-11-19 UTC.