This page describes how to add organization policies on Cloud SQL
instances, to put restrictions on Cloud SQL at the project, folder, or
organization level. For an overview, see Cloud SQL organization policies.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Click projects dropdown menu in the top tab, and then select the project, folder,
or organization that requires the organization policy. The
Organization policies page displays a list of organization policy
constraints that are available.
Filter for the constraint name or display_name.
To disable access to or from the Internet:
name:"constraints/sql.restrictPublicIp"display_name:"Restrict Public IP access on Cloud SQL instances"
To disable access from the internet when IAM authentication is missing
(this does not affect access using Private IP):
name:"constraints/sql.restrictAuthorizedNetworks"display_name:"Restrict Authorized Networks on Cloud SQL instances"
Click projects dropdown menu in the top tab, and then select the project, folder,
or organization that requires the organization policy. The
Organization policies page displays a list of organization policy
constraints that are available.
Filter for the constraint name or display_name.
To put service names in a DENY list to ensure that CMEK is used in the
resources for that service:
name:"constraints/gcp.restrictNonCmekServices"display_name:"Restrict which services may create resources without CMEK"
You must add sqladmin.googleapis.com to the list of restricted services
with Deny.
To put project IDs in an ALLOW list to ensure that only keys from an
instance of Cloud KMS within that project are used for CMEK.
name:"constraints/gcp.restrictCmekCryptoKeyProjects"display_name:"Restrict which projects may supply KMS CryptoKeys for CMEK"
Select the policy Name from the list.
Click Edit.
Click Customize.
Click Add rule.
Under Policy values, click Custom.
For constraints/gcp.restrictNonCmekServices:
a. Under Policy types, select Deny.
b. Under Custom values, enter sqladmin.googleapis.com.
For constraints/gcp.restrictCmekCryptoKeyProjects:
a. Under Policy types, select Allow.
b. Under Custom values, enter the resource using the following format:
under:organizations/ORGANIZATION_ID,
under:folders/FOLDER_ID, or projects/PROJECT_ID.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[],null,["# Add predefined organization policies\n\n\u003cbr /\u003e\n\nMySQL \\| [PostgreSQL](/sql/docs/postgres/org-policy/configure-org-policy \"View this page for the PostgreSQL database engine\") \\| [SQL Server](/sql/docs/sqlserver/org-policy/configure-org-policy \"View this page for the SQL Server database engine\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to add organization policies on Cloud SQL\ninstances, to put restrictions on Cloud SQL at the project, folder, or\norganization level. For an overview, see [Cloud SQL organization policies](/sql/docs/mysql/org-policy/org-policy).\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the [gcloud CLI](/sdk/gcloud).\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the [gcloud CLI](/sdk/gcloud).\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Add the **Organization Policy Administrator** role ([`roles/orgpolicy.policyAdmin`](/iam/docs/understanding-roles#organization-policy-roles)) to your user or service account from the **IAM \\& Admin** page.\n\n\n [Go to the IAM accounts page](https://console.cloud.google.com/iam-admin/iam)\n2. See [Restrictions](/sql/docs/mysql/org-policy/org-policy#restrictions) before performing this procedure.\n\n\u003cbr /\u003e\n\nAdd the connection organization policy\n--------------------------------------\n\nFor an overview see [Connection organization policies](/sql/docs/mysql/org-policy/org-policy#connection-organization-policy).\n\nTo add a connection organization policy:\n\n1. Go to the **Organization policies** page.\n\n [Go to the Organization policies page](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. Click projects dropdown menu in the top tab, and then select the project, folder,\n or organization that requires the organization policy. The\n **Organization policies** page displays a list of organization policy\n constraints that are available.\n\n3. Filter for the constraint `name` or `display_name`.\n\n - To disable access to or from the Internet:\n\n name: \"constraints/sql.restrictPublicIp\"\n display_name: \"Restrict Public IP access on Cloud SQL instances\"\n\n - To disable access from the internet when IAM authentication is missing\n (this does not affect access using Private IP):\n\n name: \"constraints/sql.restrictAuthorizedNetworks\"\n display_name: \"Restrict Authorized Networks on Cloud SQL instances\"\n\n4. Select the policy **Name** from the list.\n\n5. Click **Edit**.\n\n6. Click **Customize**.\n\n7. Click **Add rule**.\n\n8. Under **Enforcement** , click **On**.\n\n9. Click **Save**.\n\nAdd the CMEK organization policy\n--------------------------------\n\nFor an overview, see [Customer-managed encryption keys organization policies](/sql/docs/mysql/org-policy/org-policy#cmek-organization-policy).\n\nTo add a CMEK organization policy:\n\n1. Go to the **Organization policies** page.\n\n [Go to the Organization policies page](https://console.cloud.google.com/iam-admin/orgpolicies)\n2. Click projects dropdown menu in the top tab, and then select the project, folder,\n or organization that requires the organization policy. The\n **Organization policies** page displays a list of organization policy\n constraints that are available.\n\n3. Filter for the constraint `name` or `display_name`.\n\n - To put service names in a DENY list to ensure that CMEK is used in the\n resources for that service:\n\n name: \"constraints/gcp.restrictNonCmekServices\"\n display_name: \"Restrict which services may create resources without CMEK\"\n\n You must add `sqladmin.googleapis.com` to the list of restricted services\n with Deny.\n - To put project IDs in an ALLOW list to ensure that only keys from an\n instance of Cloud KMS within that project are used for CMEK.\n\n name: \"constraints/gcp.restrictCmekCryptoKeyProjects\"\n display_name: \"Restrict which projects may supply KMS CryptoKeys for CMEK\"\n\n4. Select the policy **Name** from the list.\n\n5. Click **Edit**.\n\n6. Click **Customize**.\n\n7. Click **Add rule**.\n\n8. Under **Policy values** , click **Custom**.\n\n9. For `constraints/gcp.restrictNonCmekServices`:\n a. Under **Policy types** , select **Deny** .\n b. Under **Custom values** , enter `sqladmin.googleapis.com`.\n\n For `constraints/gcp.restrictCmekCryptoKeyProjects`:\n a. Under **Policy types** , select **Allow** .\n b. Under **Custom values** , enter the resource using the following format:\n `under:organizations/ORGANIZATION_ID`,\n `under:folders/FOLDER_ID`, or `projects/PROJECT_ID`.\n10. Click **Done**.\n\n11. Click **Save**.\n\nWhat's next\n-----------\n\n- Learn about [Organization policies](/sql/docs/mysql/org-policy/org-policy).\n- Learn about how [private IP](/sql/docs/mysql/private-ip) works with Cloud SQL.\n- Learn how to [configure private IP](/sql/docs/mysql/configure-private-ip) for Cloud SQL.\n- Learn about the [organization policy service](/resource-manager/docs/organization-policy/overview).\n- Learn about [organization policy constraints](/resource-manager/docs/organization-policy/understanding-constraints)."]]
