Connecting from Google Container Engine

This page describes how to set up a connection from an application running in Google Container Engine to a Cloud SQL instance, using the Cloud SQL Proxy Docker image.


To access a Google Cloud SQL instance from an application running in Google Container Engine, you use the Cloud SQL Proxy Docker image. For more information about the Cloud SQL Proxy, see About the Cloud SQL Proxy.

Before you begin

Before you start this procedure, you must have:

  • A Container Engine cluster running version 1.2 or higher, with the kubectl command-line tool installed and configured to communicate with the cluster.

    For help getting started with Container Engine, see the Quickstart.

  • An application container in a pod on the Container Engine cluster.

    The Cloud SQL Proxy is added to your pod using the "sidecar" pod pattern. For more information about setting up and using Kubernetes clusters, see the Kubernetes User Guide. For a high level diagram of a sidecar pod pattern, see Patterns for Composite Containers.

  • A Cloud SQL instance with the default user configured.

    For help creating a Cloud SQL instance, see Creating Instances.

1. Enable the API

  1. Enable the Cloud SQL Administration API.

    Enable the API

2. Create a service account

The proxy requires a service account with the proper privileges for your Cloud SQL instance. For more information about service accounts, see the Google Cloud Platform Auth Guide.

  1. Go to the Cloud SQL Service accounts page of the Google Cloud Platform Console.

    Go to the Service accounts page

  2. If needed, select the project that contains your Cloud SQL instance.
  3. Click Create service account.
  4. In the Create service account dialog, provide a descriptive name for the service account.
  5. For Role, select Cloud SQL > Cloud SQL Client.

    Alternatively, you can use the primitive Editor role by selecting Roles > Editor, but the Editor role includes permissions across Google Cloud Platform.

  6. Change the Service account ID to a shorter value if needed.
  7. Click Furnish a new private key.
  8. The default key type is JSON, which is the correct value to use.
  9. Click Create.

    The private key file is downloaded to your machine. You can move it to another location. Keep the key file secure.

You will provide the location of this key file later in this task as PROXY_KEY_FILE_PATH.

3. Create the user account for the proxy

You can use an existing user for the proxy, but it is preferable to create a user specifically for the proxy. You can use the gcloud command-line tool to create a user:

 gcloud sql users create proxyuser host --instance=myinstance1 --password=mypassword

The host value is not used and can be any non-empty string. You must supply a password; users without passwords cannot connect to the database.

For help with creating a user account, see Creating a user.

4. Get your instance connection name

The instance connection name identifies your instance on Google Cloud Platform. You can get it from the Google Cloud Platform Console, or by using the gcloud command-line tool:

 gcloud sql instances describe [INSTANCE_NAME]

For example, for the instance myinstance1 in project myproject1, the instance connection name might look like this:


You will provide this value later as INSTANCE_CONNECTION_NAME.

5. Create your secrets

You need two secrets to enable your Container Engine application to access the data in your Cloud SQL instance:

  • The cloudsql-instance-credentials secret enables your application to connect to your Cloud SQL instance.
  • The cloudsql-db-credentials secret enables your application to connect to the database.

For more information about the two levels of access control, see Instance Access Control.

To create your secrets:

  1. Create the secret for instance-level access, providing the location of the key you downloaded when you created your service account:
    kubectl create secret generic cloudsql-instance-credentials \
  2. Create the secret needed for database access, providing the name and password for your proxy user:
    kubectl create secret generic cloudsql-db-credentials \
           --from-literal=username=[PROXY_USER] --from-literal=password=[PROXY_PASSWORD]

    For the proxy user created in the example above, you would use the following command:

    kubectl create secret generic cloudsql-db-credentials \
               --from-literal=username=proxyuser --from-literal=password=mypassword

6. Update your pod configuration file

Your pod configuration file needs to include the host address of the database, the secrets, and the location of your Cloud SQL instance.

The exact variable names needed depend on the application container you are using. For a complete sample deployment, including sample code, see CloudSQL Example.

  1. Provide as the host address your application uses to access the database.

    Because the proxy runs in a second container in the same pod, it appears to your application as localhost, so you use to connect to it.

  2. Provide the cloudsql-db-credentials secret to enable the application to log in to the database.

    For example, assuming the application expected DB_USER and DB_PASSWORD:

    - name: DB_USER
          name: cloudsql-db-credentials
          key: username

    - name: DB_PASSWORD
          name: cloudsql-db-credentials
          key: password

  3. Define the container used by the proxy, setting the port to 5432 and using the connection name you recorded earlier:

    - image:
      name: cloudsql-proxy
      command: ["/cloud_sql_proxy", "--dir=/cloudsql",
        - name: cloudsql-instance-credentials
          mountPath: /secrets/cloudsql
          readOnly: true
        - name: ssl-certs
          mountPath: /etc/ssl/certs
        - name: cloudsql
          mountPath: /cloudsql

    This step also defines the mount points for your container.

  4. Define your volumes:

      - name: cloudsql-instance-credentials
          secretName: cloudsql-instance-credentials
      - name: ssl-certs
          path: /etc/ssl/certs
      - name: cloudsql

  5. Bring up your pod:

    kubectl create -f [CONFIGURATION_FILE]

7. Update your application to connect to Cloud SQL

When you have your Google Container Engine environment set up, you connect to Cloud SQL the same way as any other external application that is using the proxy. The exact connection string you use depends on what language and framework you are using.

For some example connection strings, see Language-specific information and examples.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud SQL for PostgreSQL