Connecting from Google Container Engine

This page describes how to set up a connection from an application running in Google Container Engine to a Cloud SQL instance, using the Cloud SQL Proxy Docker image.


To access a Google Cloud SQL instance from an application running in Google Container Engine, you use the Cloud SQL Proxy Docker image. For more information about the Cloud SQL Proxy, see About the Cloud SQL Proxy.

Before you begin

Before you can start this procedure, you must have:

  • A Container Engine cluster running version 1.2 or higher, with the kubectl command-line tool installed and configured to communicate with the cluster.

    For help getting started with Container Engine, see the Quickstart.

  • An application container in a pod on the Container Engine cluster.

    The Cloud SQL Proxy is added to your pod using the "sidecar container" pod pattern. For more information about setting up and using Kubernetes clusters, see the Kubernetes User Guide.

  • A Cloud SQL instance with the default user configured.

    For help creating a Cloud SQL instance, see Creating Instances.

  • The connection name of your Cloud SQL instance.

    You can access the connection name from the Google Cloud Platform Console in the Instance details page, or by using the gcloud sql instances describe command.

Enable the API

  1. Enable the Cloud SQL Administration API.

    Enable the API

Create a service account

The proxy requires a service account with the proper privileges for your Cloud SQL instance. For more information about service accounts, see the Google Cloud Platform Auth Guide.

  1. Go to the Cloud SQL Service accounts page of the Google Cloud Platform Console.

    Go to the Service accounts page

  2. If needed, select the project that contains your Cloud SQL instance.
  3. Click Create service account.
  4. In the Create service account dialog, provide a descriptive name for the service account.
  5. For Role, select Cloud SQL > Cloud SQL Client.

    Alternatively, you can use the primitive Editor role by selecting Roles > Editor, but the Editor role includes permissions across Google Cloud Platform.

  6. Change the Service account ID to a shorter value if needed.
  7. Click Furnish a new private key.
  8. The default key type is JSON, the correct value.
  9. Click Create.

    The private key file is downloaded to your machine. You can move it to another location. Keep the key file secure.

Create a user account for the proxy

The proxy uses a special host to access the database. This increases the security of your configuration because only the proxy can use any user account created with this host; you do not need to specify a password.

To create a user account specifically for the proxy, use cloudsqlproxy~% for the host name. The user name can be whatever value you choose.

For help with creating a user account, see Creating a user.

Create your secrets

You need several secrets to enable your Container Engine application to connect with your Cloud SQL instance. One is required for instance-level access (connection), while the other two are required for database access. For more information about the two levels of access control, see Instance Access Control.

  1. Create the secret for instance-level access, providing the location of the key you downloaded when you created your service account:

    kubectl create secret generic cloudsql-oauth-credentials --from-file=credentials.json=[PATH_TO_CREDENTIAL_FILE]
  2. Create the secrets needed for database access:

    kubectl create secret generic cloudsql --from-literal=username=[PROXY_USERNAME] --from-literal=password=[PASSWORD]

Update your pod configuration file

Your pod configuration file needs to provide these secrets, as well as the location of your Cloud SQL instance and the database host.

The exact variable names needed depend on the application container you are using. For a sample deployment, see CloudSQL Example.

  1. Provide as the host name your application will use to access the database.

    Because the proxy runs in a second container in the same pod, it appears to your application as localhost, so you use to connect to it.

  2. Provide the username and password from the secrets you created earlier to the application.

    The example below uses WORDPRESS_DB_USER and WORDPRESS_DB_PASSWORD; you must change these names to what your application uses.

          name: cloudsql
          key: password
          name: cloudsql
          key: username

  3. Define the container used by the proxy, setting the port to 5432:

    - image:
      name: cloudsql-proxy
      command: ["/cloud_sql_proxy", "--dir=/cloudsql",
        - name: cloudsql-oauth-credentials
          mountPath: /secrets/cloudsql
          readOnly: true
        - name: ssl-certs
          mountPath: /etc/ssl/certs
        - name: cloudsql
          mountPath: /cloudsql

  4. Define your volumes:

      - name: cloudsql-oauth-credentials
          secretName: cloudsql-oauth-credentials
      - name: ssl-certs
          path: /etc/ssl/certs
      - name: cloudsql

  5. Bring up your pod:

    kubectl create -f [CONFIGURATION_FILE]

Need help? See our Cloud SQL Support page.

What's next

Send feedback about...

Cloud SQL for PostgreSQL