This page describes how built-in authentication works on Cloud SQL instances and how database administrators can set password policies for local database users.
Authentication is the process of verifying the identity of a user who is attempting to access an instance. Cloud SQL uses the following types of authentication for database users:
- The database's built-in authentication uses a username and a password to authenticate local database users. The current page describes this type of authentication.
- IAM database authentication uses IAM to authenticate a user. For more information, see Overview of Cloud SQL IAM database authentication.
Although IAM database authentication is more secure and reliable, you might prefer to use built-in authentication or a hybrid authentication model that includes both authentication types.
You might create and manage local database users locally within a database to allow specific persons or applications to access a database. Such database users own the objects they create in the database. Cloud SQL offers strong built-in password enforcement. You can define and enable such enforcement through password policies.
Instance password policies
You can set a password policy at the instance level when you create an instance.
A password policy for an instance can include the following options:
- Minimum length: Specifies the minimum number of characters that the password must have.
- Password complexity: Checks if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.
- Restrict password reuse: Specifies the number of previous passwords that you can't reuse.
- Disallow username: Prevents the use of the username in the password.
- Set password change interval: Specifies the minimum duration after which you can change the password.
You need to explicitly enable a password policy at the instance level. You can modify it later by editing the instance.
Cloud SQL built-in authentication for read replicas
You manage password policies for replicas on the primary instance. You can't separately modify password policies for read replicas.
When you promote an instance, you need to re-enable the instance password policy, along with the policy options.