Connecting the psql Client from Compute Engine

This page describes how to use the psql client, installed on a Compute Engine instance, to connect to Cloud SQL.

You can use private IP, public IP, the Cloud SQL Proxy, or the proxy Docker image.

Before you begin

Before you can connect to your Cloud SQL instance, you must have a default database user (postgres) on the instance.

This task does not include instructions for setting up your Compute Engine instance. If you need help with creating and configuring a Compute Engine instance, see the Compute Engine documentation.

Connecting using private IP

To connect to Cloud SQL from a Compute Engine instance using private IP, private services access must be set up for your environment and your Cloud SQL instance must be configured to use private IP. Your Compute Engine instance must be in the same region as your Cloud SQL instance, and on the network configured for a private connection. Learn more.

  1. Configure your instance to use private IP, using the instructions in Configuring Private IP Connectivity.
  2. Open a terminal connection to your Compute Engine instance.

    Use the appropriate instructions, depending on the instance's operating system:

  3. Install the psql client on the Compute Engine instance, if it is not already installed.

    Debian/Ubuntu

    Install the psql client from the package manager:

    sudo apt-get update
    sudo apt-get install postgresql-client
    

    CentOS/RHEL

    Install the psql client from the package manager:

    sudo yum install postgresql
    

    openSUSE

    Install the psql client from the package manager:

    sudo zypper install postgresql
    

    Other platforms

    1. Download the PostgreSQL Core Distribution for your platform from the PostgreSQL Downloads page.
      The Core Distribution includes the psql client.
    2. Install the PostgreSQL database, following the directions on the download page.
  4. Connect with the psql client.
    psql -h [CLOUD_SQL_PRIVATE_IP_ADDR] -U postgres
    

Connecting using a public IP address

  1. Add a static IPv4 IP address to the Compute Engine instance, if it does not already have one. You cannot connect to Compute Engine using IPv6. For information about adding a static IP address, see Reserving a new static external IP address in the Compute Engine documentation.
  2. Authorize the static IP address of the Compute Engine instance as a network that can connect to your Cloud SQL instance.

    For more information, see Configuring access for IP connections.

  3. Open a terminal connection to your Compute Engine instance.

    Use the appropriate instructions, depending on the instance's operating system:

  4. Install the psql client on the Compute Engine instance, if it is not already installed.

    Debian/Ubuntu

    Install the psql client from the package manager:

    sudo apt-get update
    sudo apt-get install postgresql-client
    

    CentOS/RHEL

    Install the psql client from the package manager:

    sudo yum install postgresql
    

    openSUSE

    Install the psql client from the package manager:

    sudo zypper install postgresql
    

    Other platforms

    1. Download the PostgreSQL Core Distribution for your platform from the PostgreSQL Downloads page.
      The Core Distribution includes the psql client.
    2. Install the PostgreSQL database, following the directions on the download page.
  5. Connect with the psql client.
    psql -h [CLOUD_SQL_PUBLIC_IP_ADDR] -U postgres
    

    For an example of how to connect using SSL, see Connecting with SSL.

  6. You should see the psql prompt.

Need help? For help troubleshooting the proxy, see Troubleshooting Cloud SQL Proxy connections. Or, see our Cloud SQL Support page.

Connecting using the Cloud SQL Proxy

  1. Enable the Cloud SQL Admin API.

    Enable the API

  2. Create a service account for the proxy.
    1. Go to the Service accounts page of the Google Cloud Platform Console.

      Go to the Service accounts page

    2. If needed, select the project that contains your Cloud SQL instance.
    3. Click Create service account.
    4. In the Create service account dialog, provide a descriptive name for the service account.
    5. For Role, select one of the following roles:
      • Cloud SQL > Cloud SQL Client
      • Cloud SQL > Cloud SQL Editor
      • Cloud SQL > Cloud SQL Admin

      Alternatively, you can use the primitive Editor role by selecting Project > Editor, but the Editor role includes permissions across Google Cloud Platform.

      If you do not see these roles, your Google Cloud Platform user might not have the resourcemanager.projects.setIamPolicy permission. You can check your permissions by going to the IAM page in the Google Cloud Platform Console and searching for your user id.

    6. Change the Service account ID to a unique value that you will recognize so you can easily find this service account later if needed.
    7. Click Furnish a new private key.
    8. The default key type is JSON, which is the correct value to use.
    9. Click Create.

      The private key file is downloaded to your machine. You can move it to another location. Keep the key file secure.

  3. If the Compute Engine instance is in a different project than the Cloud SQL instance, ensure that its service account has the proper permissions in the project that contains the Cloud SQL instance:
    1. Go to the Compute Engine instances listing in the Google Cloud Platform Console.

      Go to the Compute Engine instances listing

    2. If needed, select the project associated with the Compute Engine instance.
    3. Select the Compute Engine instance to display its properties.
    4. In the Compute Engine instance properties, copy the name of the service account.
    5. Go to the IAM & Admin Projects page in the Google Cloud Platform Console.

      Go to the IAM & Admin Projects page

    6. Select the project that contains the Cloud SQL instance.
    7. Search for the service account name.
    8. If the service account is already there, and it has a role that includes the cloudsql.instances.connect permission, you can proceed to step 4.

      The Cloud SQL Client, Cloud SQL Editor and Cloud SQL Admin roles all provide the necessary permission, as do the legacy Editor and Owner project roles.

    9. Otherwise, add the service account by clicking Add.
    10. In the Add members dialog, provide the name of the service account and select a role that include the cloudsql.instances.connect permission (any Cloud SQL predefined role other than Viewer will work).

      Alternatively, you can use the primitive Editor role by selecting Project > Editor, but the Editor role includes permissions across Google Cloud Platform.

      If you do not see these roles, your Google Cloud Platform user might not have the resourcemanager.projects.setIamPolicy permission. You can check your permissions by going to the IAM page in the Google Cloud Platform Console and searching for your user id.

    11. Click Add.

      You should now see the service account listed with the specified role.

  4. Open a terminal connection to your Compute Engine instance.

    Use the appropriate instructions, depending on the instance's operating system:

  5. If your Compute Engine instance is running either an RHEL or a CentOS public image, SELinux might block the proxy connection. If this happens, you must configure the SELinux feature to allow the connection.

    For more information about SELinux for RHEL, see the RHEL documentation. For more information about SELinux for CentOS, see the CentOS documentation.

  6. Install the psql client on the Compute Engine instance, if it is not already installed.

    Debian/Ubuntu

    Install the psql client from the package manager:

    sudo apt-get update
    sudo apt-get install postgresql-client
    

    CentOS/RHEL

    Install the psql client from the package manager:

    sudo yum install postgresql
    

    openSUSE

    Install the psql client from the package manager:

    sudo zypper install postgresql
    

    Other platforms

    1. Download the PostgreSQL Core Distribution for your platform from the PostgreSQL Downloads page.
      The Core Distribution includes the psql client.
    2. Install the PostgreSQL database, following the directions on the download page.
  7. Install the Cloud SQL Proxy on the Compute Engine instance.

    Linux 64-bit

    1. Download the proxy:
      wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
      
    2. Make the proxy executable:
      chmod +x cloud_sql_proxy
      

    Linux 32-bit

    1. Download the proxy:
      wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.386 -O cloud_sql_proxy
      
    2. Make the proxy executable:
      chmod +x cloud_sql_proxy
      

    Windows 64-bit

    Right-click https://dl.google.com/cloudsql/cloud_sql_proxy_x64.exe and select "Save link as..." to download the proxy, renaming it to cloud_sql_proxy.exe.

    Windows 32-bit

    Right-click https://dl.google.com/cloudsql/cloud_sql_proxy_x86.exe and select "Save link as..." to download the proxy, renaming it to cloud_sql_proxy.exe.
    If your operating system is not included here, you can also compile the proxy from source.

  8. Start the proxy.

    Depending on your language and environment, you can start the proxy using either TCP sockets or Unix sockets.

    TCP sockets

    1. Copy your instance connection name from the Instance details page.
    2. If you are using a service account to authenticate the proxy, note the location on your client machine of the private key file that was created when you created the service account.
    3. Start the proxy.

      Some possible proxy invocation strings:

      • Using Cloud SDK authentication:
        ./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:5432
        
        The specified port must not already be in use, for example, by a local database server.
      • Using a service account and explicit instance specification (recommended for production environments):
        ./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:5432 \
                          -credential_file=<PATH_TO_KEY_FILE> &
        

      For more information about proxy options, see Options for authenticating the proxy and Options for specifying instances.

    Unix sockets

    1. If you are using explicit instance specification, copy your instance connection name from the Instance details page.
    2. Create the directory where the proxy sockets will live:
      sudo mkdir /cloudsql; sudo chmod 777 /cloudsql
    3. If you are using a service account to authenticate the proxy, note the location on your client machine of the private key file that was created when you created the service account.
    4. Open a new terminal window and start the proxy.

      Some possible proxy invocation strings:

      • Using a service account and explicit instance specification (recommended for production environments):
        ./cloud_sql_proxy -dir=/cloudsql -instances=<INSTANCE_CONNECTION_NAME> \
                          -credential_file=<PATH_TO_KEY_FILE> &
      • Using Cloud SDK authentication and automatic instance discovery:
        ./cloud_sql_proxy -dir=/cloudsql &

      It is best to start the proxy in its own terminal so you can monitor its output without it mixing with the output from other programs.

      For more information about proxy options, see Options for authenticating the proxy and Options for specifying instances.

  9. Start the psql session.

    The connection string you use depends on whether you started the proxy using a TCP socket or a UNIX socket.

    TCP sockets

    1. Start the psql client:
      psql "host=127.0.0.1 sslmode=disable dbname=<DB_NAME> user=<USER_NAME>"
      

      Even though the sslmode parameter is set to disable, the proxy does provide an encrypted connection.

      When you connect using TCP sockets, the proxy is accessed through 127.0.0.1.

    2. Enter the password.
    3. You should see the psql prompt.

    Unix sockets

    1. Start the psql client:
      psql "sslmode=disable host=/cloudsql/<INSTANCE_CONNECTION_NAME> user=<USERNAME>"
      

      Even though the sslmode parameter is set to disable, the proxy does provide an encrypted connection.

    2. Enter the password.
    3. You should see the psql prompt.

Need help? For help troubleshooting the proxy, see Troubleshooting Cloud SQL Proxy connections. Or, see our Cloud SQL Support page.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud SQL for PostgreSQL