Instance access control

This page discusses the two levels of access control for Cloud SQL instances. You must configure both levels of access control before you can manage your instance.

Levels of access control

Configuring access control involves controlling who or what can access the instance. Access control occurs on two levels:

Instance-level access
Instance-level access authorizes access to your Cloud SQL instance from an application or client (running on App Engine or externally) or from another Google Cloud service, such as Compute Engine.
Database access
Database access uses the MySQL Access Privilege System to control which MySQL users have access to the data in your instance.

Instance-level access

Configuring instance-level access depends on the connection source:

Connection source Configuration method More information
Compute Engine
  • Cloud SQL Proxy
  • Authorize static IP address
App Engine standard environment
  • Same project: preconfigured
  • Between projects: configure IAM
App Engine flexible environment
  • Same project: preconfigured
  • Between projects: configure IAM
mysql client
  • Cloud SQL Proxy
  • Authorize client IP address
External applications
  • Cloud SQL Proxy
  • Authorize client IP address
Cloud Functions
  • A Cloud SQL instance set up with a public IP.
  • Between projects: also configure IAM
Cloud Run
  • A Cloud SQL instance set up with a public IP.
  • Between projects: also configure IAM
Google Kubernetes Engine
  • Private IP or Cloud SQL Proxy
  • If Public IP, Cloud SQL Proxy is required

Database access

After a connection to an instance has been negotiated, the user or application must log in to the database instance with a user account. You create and manage user accounts as part of managing your Cloud SQL instance.

You must set up the default user (root) when you create an instance, but you can also create more users to give you finer-grained control over access to your Cloud SQL instance. For more information, see MySQL users and Configuring the default user account.

What's next