This page describes how to configure an instance to use SSL/TLS. You can also learn more about how Cloud SQL uses self-managed SSL/TLS certificates to securely connect to Cloud SQL instances.
Overview
Cloud SQL creates a server certificate (server-ca.pem
) automatically when
you create your instance. We recommend that you
enforce all connections to use SSL/TLS.
You must restart an instance after enforcing SSL for the instance. However, you don't need to restart the instance after changing SSL/TLS certificates. If a restart is required, then this is done automatically during the SSL update event.
Enforce SSL/TLS encryption
Setting up your Cloud SQL instance to accept SSL/TLS connections enables SSL/TLS connections for the instance, but unencrypted and unsecure connections are still accepted. If you do not require SSL/TLS for all connections, clients without a valid certificate are allowed to connect. For this reason, if you are accessing your instance using public IP, it is strongly recommended that you enforce SSL for all connections.When the requiring SSL/TLS option is enabled, you can use either the Cloud SQL Auth proxy or SSL/TLS certificates to connect to your Cloud SQL instance. Using the Cloud SQL Auth proxy doesn't require SSL/TLS Certificates because the connection is encrypted no matter the setting.
To enable requiring SSL/TLS:
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Click Connections from the SQL navigation menu.
- Select the Security tab.
- Click Allow only SSL connections.
gcloud
gcloud sql instances patch INSTANCE_NAME --require-ssl
Terraform
To enforce SSL/TLS encryption, use a Terraform resource:
Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
-
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
-
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tf
extension—for examplemain.tf
. In this tutorial, the file is referred to asmain.tf
.mkdir DIRECTORY && cd DIRECTORY && touch main.tf
-
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf
.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
-
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgrade
option:terraform init -upgrade
Apply the changes
-
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
-
Apply the Terraform configuration by running the following command and entering
yes
at the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protection
argument tofalse
.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and
entering
yes
at the prompt:terraform apply
-
Remove resources previously applied with your Terraform configuration by running the following command and entering
yes
at the prompt:terraform destroy
REST v1
-
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "ipConfiguration": {"requireSsl": "true"} } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
REST v1beta4
-
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "ipConfiguration": {"requireSsl": "true"} } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
Server certificates
Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You're periodically notified that the server certificate is nearing expiration. The notifications are sent the following number of days before the expiration date: 90, 30, 10, 2, and 1.
You can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Click Connections from the SQL navigation menu.
- Select the Security tab.
- Scroll down to the Manage server certificates section.
You can see the expiration date of your server certificate in the table.
gcloud
- Get information about the service certificate:
gcloud beta sql ssl server-ca-certs list \ --instance=INSTANCE_NAME
- Create a server certificate:
gcloud beta sql ssl server-ca-certs create \ --instance=INSTANCE_NAME
- Download the certificate information to a local PEM file:
gcloud beta sql ssl server-ca-certs list \ --format="value(cert)" \ --instance=INSTANCE_NAME > \ FILE_PATH/FILE_NAME.pem
- Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.
Terraform
To provide server certificate information as an output, use a Terraform data source:
- Add the following to your Terraform configuration file:
data "google_sql_ca_certs" "ca_certs" { instance = google_sql_database_instance.default.name } locals { furthest_expiration_time = reverse(sort([for k, v in data.google_sql_ca_certs.ca_certs.certs : v.expiration_time]))[0] latest_ca_cert = [for v in data.google_sql_ca_certs.ca_certs.certs : v.cert if v.expiration_time == local.furthest_expiration_time] } output "db_latest_ca_cert" { description = "Latest CA certificate used by the primary database server" value = local.latest_ca_cert sensitive = true }
- To create the
server-ca.pem
file, run the following command:terraform output db_latest_ca_cert > server-ca.pem
Client certificates
Create a new client certificate
You can create up to 10 client certificates for each instance. To create client
certificates you must have the Cloud SQL Admin
IAM role.
Here are some important things to know about client certificates:
- If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered.
- By default, the client certificate has an expiration date of 10 years.
- You are not notified when client certificates are nearing expiration.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Click Connections from the SQL navigation menu.
- Select the Security tab.
- Click Create client certificate.
- In the Create a client certificate dialog box, add a unique name.
- Click Create.
- In the first section of the New SSL certificate created
dialog box, click Download client-key.pem to download the private
key to a file named
client-key.pem
. - In the second section, click Download client-cert.pem to download
the client certificate to a file named
client-cert.pem
. - In the third section, click Download server-ca.pem to download
the server certificate to a file named
server-ca.pem
. - Click Close.
gcloud
Create a client certificate using the
ssl client-certs create
command:gcloud sql ssl client-certs create CERT_NAME client-key.pem \ --instance=INSTANCE_NAME
Retrieve the public key for the certificate you just created and copy it into the
client-cert.pem
file with thessl client-certs describe
command:gcloud sql ssl client-certs describe CERT_NAME \ --instance=INSTANCE_NAME \ --format="value(cert)" > client-cert.pem
Copy the server certificate into the
server-ca.pem
file using theinstances describe
command:gcloud sql instances describe INSTANCE_NAME \ --format="value(serverCaCert.cert)" > server-ca.pem
Terraform
To create a client certificate, use a Terraform resource:
REST v1
Create an SSL/TLS certificate, giving it a unique name for this instance:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- client-cert-name: The client cert name
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts
Request JSON body:
{ "commonName" : "client-cert-name" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
-
Copy all of the certificate contents within the quotation marks (but not the
quotation marks themselves) from the response into local files as follows:
- Copy
serverCaCert.cert
intoserver-ca.pem
. - Copy
clientCert.cert
intoclient-cert.pem
. - Copy
certPrivateKey
intoclient-key.pem
.
- Copy
REST v1beta4
Create an SSL/TLS certificate, giving it a unique name for this instance:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- client-cert-name: The client cert name
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
Request JSON body:
{ "commonName" : "client-cert-name" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
-
Copy all of the certificate contents within the quotation marks (but not the
quotation marks themselves) from the response into local files as follows:
- Copy
serverCaCert.cert
intoserver-ca.pem
. - Copy
clientCert.cert
intoclient-cert.pem
. - Copy
certPrivateKey
intoclient-key.pem
.
- Copy
At this point, you have:
- A server certificate saved as
server-ca.pem
. - A client public key certificate saved as
client-cert.pem
. - A client private key saved as
client-key.pem
.
sslrootcert
,
sslcert
, and sslkey
parameters in the psql
connection string. For an example connection using psql client and SSL/TLS, see
Connecting with psql client.
What's next
- Manage SSL/TLS certificates on your Cloud SQL instance.
- Learn more about how encryption is handled in Google Cloud.
- Connect to your Cloud SQL instance using SSL/TLS certificates.
- Learn more about how PostgreSQL uses SSL/TLS certificates.