This page describes how Cloud SQL works with MySQL users. MySQL user accounts provide security by controlling access to MySQL databases.
Why you need MySQL user accounts
MySQL user accounts enable you to log in to and administer your Cloud SQL instance. User accounts are also required for applications to access your instance.
Because Cloud SQL for MySQL is a managed service, it restricts access to certain system procedures and tables that require advanced privileges. In Cloud SQL, customers cannot create or have access to users with superuser attributes.
MySQL user account format
MySQL user accounts have two components: a user name and a host name. The user name identifies the user, and the host name specifies what hosts that user can connect from. The user name and host name are combined to create a user account:
You can specify a specific IP address or address range for host name, or use the percent character ("%") to leave the host name unrestricted. Note that if you connect to your instance using IP addresses, you must add your client IP address as an Authorized Address, even if your user's host name is unrestricted.
User accounts are defined by both the user name and the host name. For
'user'@'%' is a different user account than
Default MySQL user
Upon creation, MySQL instances have one default user account:
'root'@'%'. You use this account to connect to and manage the
database instance for the first time. The default user has all database
privileges except for
FILE. In Cloud SQL, you
The default for
root'@'% is no password, and MySQL does not require you to use
a password for
root'@'%. However, because
root'@'% exists on most MySQL
root'@'% user is a common target for unauthorized access.
Any person or program that gains access to your instance has almost
unlimited access to, and control over, your instance and data. For this reason,
we recommend you configure your
root'@'% user with a strong password or delete this user. For help with configuring the default user account, see
Configure the default user account.
There are seven system users:
Used to provide the managed database service.
Used as a replication user for replicas.
Used for data imports.
Used for data exports.
Used for other database operations.
You cannot delete or modify these users.
Other MySQL user accounts
You can also create other MySQL user accounts. This is a good practice because it lets you use different MySQL user accounts for different purposes.
You can create a user account with a restricted hostname, or use SQL commands to limit privileges on your user accounts.
MySQL 5.6 and 5.7 user privileges
MySQL provides fine-grained privileges you can grant or remove for a user. This enables you to control what a user can do on your instance.
When you use the
mysql client to create a user, you must explicitly grant that
user privileges with the
For more information about the privileges supported by MySQL, see Privileges Provided by MySQL.
MySQL 8.0 user privileges (
In MySQL 8.0 for Cloud SQL, when you create a new user, the user is
automatically granted the
cloudsqlsuperuser role. The
is a Cloud SQL role that contains a number of MySQL privileges. This role
gives the user all of the MySQL static privileges, except for
cloudsqlsuperuser role only supports the following dynamic privileges:
cloudsqlsuperuser role doesn't support any Data Definition Language (DDL)
operations on the
mysql system database.
To see a complete list of privileges granted to the
statement in the
SHOW GRANTS FOR 'cloudsqlsuperuser'
- Configure the
rootuser account for your instance.
- Create and manage users.
- Create and manage databases.
- See the MySQL documentation about MySQL users.
- See the MySQL documentation about privileges provided by MySQL.
- Learn about options for connecting to your instance.