This page discusses the two levels of access control for Cloud SQL instances. You must configure both levels of access control before you can manage your instance.
Levels of access control
Configuring access control for an instance is about controlling who or what can access the instance. Access control occurs on two levels:
- Instance-level access
- Instance-level access authorizes access to your Cloud SQL instance from an application or client (running on App Engine or externally) or another Google Cloud service, such as Compute Engine.
- Database access
- Database access uses the MySQL Access Privilege System to control which MySQL users have access to the data in your instance.
How you configure instance-level access depends on where you are connecting from, and whether you are connecting to a First Generation or Second Generation instance:
|Connection source||First Generation instance||Second Generation instance||More information|
|Compute Engine||Authorize static IP address||
|App Engine standard environment||Authorize Application ID||
|App Engine flexible environment||Not supported||
||Authorize client IP address||
|External applications||Authorize client IP address||
|Google Kubernetes Engine||
After a connection to an instance has been negotiated, the user or application must log in to the database instance with a user account. You create and manage user accounts as part of managing your Cloud SQL instance.You must set up the default user (root) when you create an instance, but you can also create more users to give you finer-grained control over access to your Cloud SQL instance. For more information, see MySQL Users and Configuring the default user account.
- Learn more about how Cloud SQL works with MySQL users.
- Learn more about the MySQL Access Privilege System.
- Learn more about your options for connecting from an external application.
- Learn about controlling who can manage your Google Cloud Platform project.