About MySQL users

This page describes how Cloud SQL works with MySQL users. MySQL user accounts provide security by controlling access to MySQL databases.

For complete documentation about MySQL users, see the MySQL documentation. For information about creating and managing Cloud SQL users, see Creating and Managing Users.

Why you need MySQL user accounts

MySQL user accounts enable you to log in to and administer your Cloud SQL instance. User accounts are also required for applications to access your instance.

Superuser restrictions

In Cloud SQL, customers cannot create or access users with superuser attributes.

Because Cloud SQL for MySQL is a managed service, it restricts access to certain system procedures and tables.

Data Manipulation Language (DML) and Data Definition Language (DDL) privileges are restricted on some schema tables.

Here's the list of MySQL 5.6 system tables in the mysql schema that require write permissions: audit_log_rules_expanded, audit_log_supported_ops, audit_log_rules, cloudsql_replica_index, db, event, func, heartbeat, plugin, proc, user, and tables_priv.

For MySQL 5.7, here's the list: audit_log_rules_expanded, audit_log_supported_ops, audit_log_rules, cloudsql_replica_index, db, event, func, gtid_executed, heartbeat, plugin, proc, user, and tables_priv.

For related information about MySQL 8.0, see MySQL 8.0 user privileges (cloudsqlsuperuser).

MySQL user account format

MySQL user accounts have two components: a user name and a host name. The user name identifies the user, and the host name specifies what hosts that user can connect from. The user name and host name are combined to create a user account:

'<user_name>'@'<host_name>'

You can specify a specific IP address or address range for host name, or use the percent character ("%") to leave the host name unrestricted. Note that if you connect to your instance using IP addresses, you must add your client IP address as an Authorized Address, even if your user's host name is unrestricted.

User accounts are defined by both the user name and the host name. For example, 'user'@'%' is a different user account than 'user'@'localhost'.

Default MySQL user

Upon creation, MySQL instances have one default user account: 'root'@'%'. You use this account to connect to and manage the database instance for the first time. The default user has all database privileges except for SUPER and FILE. In Cloud SQL, you can't rename 'root'@'%'.

The default for root'@'% is no password, and MySQL does not require you to use a password for root'@'%. However, because root'@'% exists on most MySQL installations, the root'@'% user is a common target for unauthorized access. Any person or program that gains access to your instance has almost unlimited access to, and control over, your instance and data. For this reason, we recommend you configure your root'@'% user with a strong password or delete this user. For help with configuring the default user account, see Configure the default user account.

System users

There are seven system users:

  • root@localhost, root@127.0.0.1, root@::1

    Used to provide the managed database service.

  • cloudsqlreplica@%

    Used as a replication user for replicas.

  • cloudsqlimport@localhost

    Used for data imports.

  • cloudsqlexport@localhost

    Used for data exports.

  • cloudsqloneshot

    Used for other database operations.

  • cloudsqlapplier@localhost

    Used for replication operations in external server replica or cross major version replication.

  • cloudsqlobservabilityadmin

    Used for database observability.

You cannot delete or modify these users.

Other MySQL user accounts

You can also create other MySQL user accounts. This is a good practice because it lets you use different MySQL user accounts for different purposes.

You can create a user account with a restricted hostname, or use SQL commands to limit privileges on your user accounts.

For more information about user account names, see the MySQL documentation. To create a new MySQL user, see Create a user.

MySQL 5.6 and 5.7 user privileges

MySQL provides fine-grained privileges you can grant or remove for a user. This enables you to control what a user can do on your instance.

Users created using Cloud SQL have the same privileges as the default MySQL user. You can change their privileges by using the GRANT or REVOKE statements.

When you use the mysql client to create a user, you must explicitly grant that user privileges with the GRANT statement.

For more information about the privileges supported by MySQL, see Privileges Provided by MySQL.

MySQL 8.0 user privileges (cloudsqlsuperuser)

In MySQL 8.0 for Cloud SQL, when you create a new user, the user is automatically granted the cloudsqlsuperuser role. The cloudsqlsuperuser role is a Cloud SQL role that contains a number of MySQL privileges. This role gives the user all of the MySQL static privileges, except for SUPER and FILE.

The cloudsqlsuperuser role only supports the following dynamic privileges based on MySQL 8.0 minor versions:

MySQL 8.0.18

MySQL 8.0.26

MySQL 8.0.27

MySQL 8.0.28

MySQL 8.0.29 (deprecated)

MySQL 8.0.30 and later

The cloudsqlsuperuser role doesn't support any Data Definition Language (DDL) operations on the mysql system database.

To see a complete list of privileges granted to the cloudsqlsuperuser role, execute the SHOW GRANTS statement in the mysql client:

SHOW GRANTS FOR 'cloudsqlsuperuser'

What's next