Connect to Cloud SQL for PostgreSQL from Cloud Run functions

MySQL | PostgreSQL | SQL Server

Learn how to deploy a sample app on Cloud Run functions connected to a PostgreSQL instance by using the Google Cloud console and a client application.

Assuming that you complete all the steps in a timely manner, the resources created in this quickstart typically cost less than one dollar (USD).

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Cloud APIs necessary to run a Cloud SQL sample app on Cloud Run functions.
Console

Click Enable APIs to enable the APIs required for this quickstart.

Enable APIs

This enables the following APIs:
- Cloud Run functions API
- Cloud SQL Admin API
- Cloud Run Admin API
- Cloud Build API
- Artifact Registry API
- Eventarc API
- Compute Engine API
- Service Networking API
- Cloud Logging API
gcloud

Click the following button to open Cloud Shell, which provides command-line access to your Google Cloud resources directly from the browser. Cloud Shell can be used to run the gcloud commands presented throughout this quickstart.

Open Cloud Shell

Run the following gcloud command using Cloud Shell:
```
gcloud services enable cloudfunctions.googleapis.com sqladmin.googleapis.com run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com eventarc.googleapis.com compute.googleapis.com servicenetworking.googleapis.com pubsub.googleapis.com logging.googleapis.com
```
This command enables the following APIs:
- Cloud Run functions API
- Cloud SQL Admin API
- Cloud Run API
- Cloud Build API
- Artifact Registry API
- Eventarc API
- Compute Engine API
- Service Networking API
- Cloud Logging API
Add the Cloud Run functions Invoker IAM role to your user.

Add the role

Set up Cloud SQL

Create a Cloud SQL instance

Public IP

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click Create instance.
Click Choose PostgreSQL.
Make sure that Enterprise Plus is selected as the Cloud SQL edition for your instance.
In the Instance ID field, enter quickstart-instance.
In the Password field, enter a password for the postgres user. Save this password for future use.
In the Choose region and zonal availability section, select Single zone.
Click the Show configuration options menu.
Expand the Machine configuration node.
From the Machine shapes region, select the 4 vCPU, 32 GB shape.
Click Create instance and then wait until the instance initializes and starts.

gcloud

Before running the command as follows, replace DB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

--database-version: The database engine type and version. If left unspecified, the API default is used. See the gcloud database versions documentation to see the current available versions.
--cpu: The number of cores desired in the machine.
--memory: Whole number value indicating how much memory is desired in the machine. A size unit should be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
--region: Regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default us-central is used.

Run the gcloud sql instances create command to create a Cloud SQL instance.

gcloud sql instances create quickstart-instance \
--database-version=POSTGRES_14 \
 --cpu=1 \
 --memory=4GB \
 --region=us-central \
 --root-password=DB_ROOT_PASSWORD

Private IP

Console

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Select the default VPC network.
Select the Private service connection tab.
Select the Allocated IP ranges for services tab.
Click Allocate IP range.
For the Name of the allocated range, specify google-managed-services-default.
Select the Automatic option for IP range and specify the prefix length as 16.
Click Allocate to create the allocated range.
Select the Private connections to services tab for the default VPC network.
Click Create connection to create a private connection between your network and a service producer.
For the Assigned allocation, select google-managed-services-default.
Click Connect to create the connection.

Create an instance with private IP address and SSL enabled

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click Create instance.
Click Choose PostgreSQL.
Make sure that Enterprise Plus is selected as the Cloud SQL edition for your instance.
In the Instance ID field, enter quickstart-instance.
In the Password field, enter a password for the postgres user. Save this password for future use.
In the Choose region and zonal availability section, select Single zone.
Click the Show configuration options menu.
Expand the Machine configuration node.
From the Machine shapes region, select the 4 vCPU, 32 GB shape.
Expand the Connections node.
Clear the Public IP checkbox to create an instance only with a private IP address.
Select the Private IP checkbox.
From the Network menu, select default.
Click Create instance and then wait for the instance to initialize and start.
Click Connections.
In the Security section, select Allow only SSL connections to enable SSL connections.
In the Allow only SSL connections dialog, click Save and then wait for the instance to restart.

gcloud

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

Run the gcloud compute addresses create command to allocate an IP address range.

gcloud compute addresses create google-managed-services-default \
--global --purpose=VPC_PEERING --prefix-length=16 \
--description="peering range for Google" --network=default

Run the gcloud services vpc-peerings connect command to create a private connection to the allocated IP address range. Replace YOUR_PROJECT_ID with your project's project ID.

gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com \
--ranges=google-managed-services-default --network=default \
--project=YOUR_PROJECT_ID

Create an instance with private IP address and SSL enabled

Before running the command as follows, replace DB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

--database-version: The database engine type and version. If left unspecified, the API default is used. See the gcloud database versions documentation to see the current available versions.
--cpu: The number of cores in the machine.
--memory: A whole number value indicating how much memory to include in the machine. A size unit can be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
--region: The regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default us-central1 is used. See the full list of regions.

Run the gcloud sql instances create command to create a Cloud SQL instance with a Private IP address.

gcloud sql instances create quickstart-instance \
--database-version=POSTGRES_14 \
 --cpu=1 \
 --memory=4GB \
 --region=us-central \
 --root-password=DB_ROOT_PASSWORD \
 --no-assign-ip \
--network=default

Run the gcloud sql instances patch command to enable only allow SSL connections for the instance.

gcloud sql instances patch quickstart-instance --require-ssl

Create a database

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Select quickstart-instance.
From the SQL navigation menu, select Databases.
Click Create database.

In the Database name field of the New database dialog box, enter quickstart-db.
Click Create.

gcloud

Run the gcloud sql databases create command to create a database.

gcloud sql databases create quickstart-db --instance=quickstart-instance

Create a user

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
From the SQL navigation menu, select Users.
Click Add user account.
In the Add a user account page for the quickstart-instance, add the following information:
- In the Username field, enter quickstart-user.
- In the Password field, specify a password for your database user. Make a note of this for use in a later step of this quickstart.
Click Add.

gcloud

Before running the following command, make the following replacements:

DB_PASS with a password for your database user. Make a note of this for use in a later step of this quickstart.

Run the gcloud sql users create command to create the user.

gcloud sql users create quickstart-user \
--instance=quickstart-instance \
--password=DB_PASS

User name length limits are the same for Cloud SQL as for on-premises PostgreSQL.

Configure a Cloud Run functions service account

Configure the service account used by Cloud Run functions so that it has the Cloud SQL Client role with permissions to connect to Cloud SQL.

Console

In the Google Cloud console, go to the IAM page.

Go to IAM
For the service account named Compute Engine default service account, click the pencil icon.

Click ADD ANOTHER ROLE.
Add the Role named Cloud SQL Client.
Click Save.

gcloud

Run the following gcloud command to get a list of your project's service accounts:
```
gcloud iam service-accounts list
```
Copy the EMAIL of the Compute Engine service account.

Run the following command to add the Cloud SQL Client role to Compute Engine service account:

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
  --role="roles/cloudsql.client"

Create a function

In the Google Cloud console, go to the Cloud Run functions page.

Go to Cloud Run functions
Click Create function.
For the Environment, select 2nd gen.
In the Function name field, enter quickstart-function.
In the Authentication region, select Allow unauthenticated invocations.
Click Next.
From the Runtime menu, select one of the following languages:

Language	Version number
Go	1.20
Java	17
Node.js	18
Python	3.10

In the Source code menu, verify that the Inline editor is selected. In this step, you use the default function provided in the editor.

Deploy the function

At the bottom of the Cloud Run functions page, click Deploy. The Google Cloud console redirects you to the function's details page.
When the function deployment is complete, click the URL link to see a web browser displaying the message Hello, World!.

Deploy the Cloud SQL sample app as a function

You configure and deploy the Cloud SQL sample app as a function in Cloud Run functions. First, you use Cloud Shell to configure and build the sample app. Then, you use Cloud Run functions to deploy the sample app.

There are two ways to configure, build, and deploy the app depending on if you created a Cloud SQL for PostgreSQL instance with a Public IP or a Private IP.

Configure a Cloud SQL sample app

Public IP

For public IP paths, Cloud Run functions provides encryption and connects using the Cloud SQL Auth Proxy through Unix sockets.

Go

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Java

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```

Run the mvn command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.

mvn clean package com.google.cloud.tools:jib-maven-plugin:2.8.0:build \
  -Dimage=YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql \
  -DskipTests -Djib.to.credHelper=gcloud

In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Node.js

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Python

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Private IP

For private IP paths, your application connects directly to your instance through Serverless VPC Access. This method uses a TCP socket to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.

Go

Create and download SSL server and client certificates

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the quickstart-instance to see its Overview page
Click the Connections tab.
Under the Security section, click Create client certificate.
In the Create a client certificate dialog, enter quickstart-key as the name and click Create.
In the New SSL certificate created dialog, click each download link to download the certificates. Then, click Close.

Important: Store this private key securely. If you lose it, you must create a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

In the Google Cloud console, go to the Serverless VPC access - Create connector page.

Create Serverless VPC connector
Enter quickstart-connector for the Name.
Select default from the Network drop-down menu
Select Custom IP range from the Subnet drop-down menu
Enter 10.8.0.0 in the IP range input box
Click Create to create the connector.

Build sample app with SSL certificates

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Upload SSL certs files to certs folder.
1. Right-click certs folder in Cloud Shell Editor and select Upload Files
2. Select following files on your local machine:
3. With the three SSL certificate files selected, click Open to complete the process of uploading the files to Cloud Shell Editor.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Java

Create and download SSL server and client certificates

For Java users, the connector already provides a secure connection so that creating and downloading SSL server and client certificates is unnecessary.

Create a Serverless VPC Connection for connections to the instance via Private IP

In the Google Cloud console, go to the Serverless VPC access - Create connector page.

Create Serverless VPC connector
Enter quickstart-connector for the Name.
Select default from the Network drop-down menu
Select Custom IP range from the Subnet drop-down menu
Enter 10.8.0.0 in the IP range input box
Click Create to create the connector.

Build Sample App

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
If an Authorize Cloud Shell dialog box appears, then click Authorize.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```

mvn clean package com.google.cloud.tools:jib-maven-plugin:2.8.0:build \
  -Dimage=YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql \
  -DskipTests -Djib.to.credHelper=gcloud

In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Node.js

Create and download SSL server and client certificates

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the quickstart-instance to see its Overview page
Click the Connections tab.
Under the Security section, click Create client certificate.
In the Create a client certificate dialog, enter quickstart-key as the name and click Create.
In the New SSL certificate created dialog, click each download link to download the certificates. Then, click Close.

Important: Store this private key securely. If you lose it, you must create a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

In the Google Cloud console, go to the Serverless VPC access - Create connector page.

Create Serverless VPC connector
Enter quickstart-connector for the Name.
Select default from the Network drop-down menu
Select Custom IP range from the Subnet drop-down menu
Enter 10.8.0.0 in the IP range input box
Click Create to create the connector.

Build sample app with SSL certificates

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
Upload SSL certs files to certs folder.
1. Right-click certs folder in Cloud Shell Editor and select Upload Files
2. Select following files on your local machine:
3. With the three SSL certificate files selected, click Open to complete the process of uploading the files to Cloud Shell Editor.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Python

Create and download SSL server and client certificates

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the quickstart-instance to see its Overview page
Click the Connections tab.
Under the Security section, click Create client certificate.
In the Create a client certificate dialog, enter quickstart-key as the name and click Create.
In the New SSL certificate created dialog, click each download link to download the certificates. Then, click Close.

Important: Store this private key securely. If you lose it, you must create a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

In the Google Cloud console, go to the Serverless VPC access - Create connector page.

Create Serverless VPC connector
Enter quickstart-connector for the Name.
Select default from the Network drop-down menu
Select Custom IP range from the Subnet drop-down menu
Enter 10.8.0.0 in the IP range input box
Click Create to create the connector.

Build sample app with SSL certificates

In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor
In the Open in Cloud Shell dialog box, click Confirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
At the Cloud Shell command prompt, in the bottom half of the screen below the Cloud Shell Editor, run the following command to activate your project. Replace YOUR_PROJECT_ID with your project ID.
```
gcloud config set project YOUR_PROJECT_ID
```
Upload SSL certs files to certs folder.
1. Right-click certs folder in Cloud Shell Editor and select Upload Files
2. Select following files on your local machine:
3. With the three SSL certificate files selected, click Open to complete the process of uploading the files to Cloud Shell Editor.
Run the following gcloud artifacts repositories create command in Cloud Shell to create a repository in the Artifact Registry named quickstart-repo in the same region as your Cloud SQL instance. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud artifacts repositories create quickstart-repo \
  --project=YOUR_PROJECT_ID \
  --repository-format=docker \
  --location=YOUR_REGION_NAME \
  --description="Cloud Function Quickstart Cloud SQL sample app"
```
Run the gcloud builds submit command as follows in Cloud Shell to build a Docker container and publish it to Artifact Registry. Replace YOUR_PROJECT_ID with your project ID and YOUR_REGION_NAME with your region name.
```
gcloud builds submit \
  --tag YOUR_REGION_NAME-docker.pkg.dev/YOUR_PROJECT_ID/quickstart-repo/function-sql .
```
In gen2 of Cloud Run functions, configuring and running the Cloud SQL Auth Proxy automatically isn't supported. This functionality is supported by using Cloud Run. You must revise the underlying Cloud Run service manually to configure and run the Cloud SQL Auth Proxy with the service by using the --add-cloudsql-instances flag. Replace INSTANCE_CONNECTION_NAME with your instance's connection name.
```
gcloud run deploy quickstart-function --source . \
  --region YOUR_REGION_NAME \
  --add-cloudsql-instances INSTANCE_CONNECTION_NAME
```

Deploy the sample app

The steps to deploy the sample to Cloud Run functions depend on the type of IP address you assigned to your Cloud SQL instance.

Public IP

Console

In the Google Cloud console, go to the Cloud Run functions page.

Go to Cloud Run functions
Select the quickstart-function that you created in a previous step of this quickstart.
In the Function details page, click the link in the Powered by Cloud Run pane to access the underlying Cloud Run functions service.
Click Edit & deploy new revision.
In the Container image URL field, click Select.

Select the Artifact Registry tab, and then expand the quickstart-repo node.
Expand the function-sql container, and then select the container image you created in the previous step.
Click Select.

Create the following environment variables by clicking Add variable in the Environment variables section:

INSTANCE_UNIX_SOCKET: Set to /cloudsql/YOUR_PROJECT_ID:YOUR_REGION_NAME:quickstart-instance.
DB_NAME: Set to quickstart-db.
DB_USER: Set to quickstart-user.
DB_PASS: Set to the password of the quickstart-user that you specified in the previous Create a user quickstart step.

Enable connecting to Cloud SQL:
1. In the Cloud SQL connections section, click Add connection.
2. Select your instance's connection name.
At the bottom of the page, click Deploy.
After the quickstart-function is deployed, the Service details page displays a URL to the running service. Click the URL link to see the deployed Cloud Run functions sample app connected to Cloud SQL. The app should be similar to the following:

gcloud

Go

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime go120 \
--trigger-http \
--allow-unauthenticated \
--entry-point Votes \
--region YOUR_REGION_NAME \
--set-env-vars INSTANCE_UNIX_SOCKET=/cloudsql/INSTANCE_CONNECTION_NAME \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Java

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime java11 \
--trigger-http \
--allow-unauthenticated \
--entry-point com.example.cloudsql.functions.Main \
--region YOUR_REGION_NAME \
--set-env-vars INSTANCE_UNIX_SOCKET=/cloudsql/INSTANCE_CONNECTION_NAME \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Node.js

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime nodejs18 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--set-env-vars INSTANCE_UNIX_SOCKET=/cloudsql/INSTANCE_CONNECTION_NAME \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Python

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime python310 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--set-env-vars INSTANCE_UNIX_SOCKET=/cloudsql/INSTANCE_CONNECTION_NAME \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Private IP

Console

In the Google Cloud console, go to the Cloud Run functions page.

Go to Cloud Run functions
Select the quickstart-function that you created in a previous step of this quickstart.
In the Function details page, click the link in the Powered by Cloud Run pane to access the underlying Cloud Run functions service.
Click Edit & deploy new revision.
In the Container image URL field, click Select.

Select the Artifact Registry tab, and then expand the quickstart-repo node.
Expand the function-sql container, and then select the container image you created in the previous step.
Click Select.

Create the following environment variables by clicking Add variable in the Environment variables section:

DB_NAME: Set to quickstart-db.
DB_USER: Set to quickstart-user.
DB_PASS: Set to the password of the quickstart-user that you specified in the previous Create a user quickstart step.
INSTANCE_CONNECTION_NAME: Set to your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console.
DB_PORT: Set to 5432.

INSTANCE_HOST: Set the Private IP address of your instance displayed on the Cloud SQL instances page in the Google Cloud console.
DB_ROOT_CERT: Set to certs/server-ca.pem.
DB_CERT: Set to certs/client-cert.pem.
DB_KEY: Set to certs/client-key.pem.
PRIVATE_IP: Set to TRUE.

Enable connecting to Cloud SQL:
1. In the Cloud SQL connections section, click Add connection.
2. Select your instance's connection name.
3. Select default: Serverless VPC Access Connector "quickstart-connector" from the VPC Network drop-down menu.
4. Select the option Route all traffic through the VPC connector.
At the bottom of the page, click Deploy.
After the quickstart-function is deployed, the Service details page displays a URL to the running service. Click the URL link to see the deployed Cloud Run functions sample app connected to Cloud SQL. The app should be similar to the following:

gcloud

Go

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
PRIVATE_IP_ADDRESS with the private IP address of your Cloud SQL instance displayed on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime go120 \
--trigger-http \
--allow-unauthenticated \
--entry-point Votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars INSTANCE_HOST=PRIVATE_IP_ADDRESS \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_PORT=5432 \
--set-env-vars DB_ROOT_CERT=certs/server-ca.pem \
--set-env-vars DB_CERT=certs/client-cert.pem \
--set-env-vars DB_KEY=certs/client-key.pem \
--set-env-vars PRIVATE_IP=TRUE

Java users should run the gcloud functions deploy command without the INSTANCE_HOST, DB_PORT, DB_ROOT_CERT, DB_CERT, DB_KEY, and PRIVATE_IP flags, as follows, to create Cloud Run functions because the Java connector already provides a secure connection:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime go120 \
--trigger-http \
--allow-unauthenticated \
--entry-point Votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--set-env-vars PRIVATE_IP=TRUE

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Java

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
PRIVATE_IP_ADDRESS with the private IP address of your Cloud SQL instance displayed on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime java11 \
--trigger-http \
--allow-unauthenticated \
--entry-point com.example.cloudsql.functions.Main \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars INSTANCE_HOST=PRIVATE_IP_ADDRESS \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_PORT=5432 \
--set-env-vars DB_ROOT_CERT=certs/server-ca.pem \
--set-env-vars DB_CERT=certs/client-cert.pem \
--set-env-vars DB_KEY=certs/client-key.pem \
--set-env-vars PRIVATE_IP=TRUE

gcloud functions deploy quickstart-function \
--gen2 \
--runtime java11 \
--trigger-http \
--allow-unauthenticated \
--entry-point com.example.cloudsql.functions.Main \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--set-env-vars PRIVATE_IP=TRUE

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Node.js

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
PRIVATE_IP_ADDRESS with the private IP address of your Cloud SQL instance displayed on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime nodejs18 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars INSTANCE_HOST=PRIVATE_IP_ADDRESS \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_PORT=5432 \
--set-env-vars DB_ROOT_CERT=certs/server-ca.pem \
--set-env-vars DB_CERT=certs/client-cert.pem \
--set-env-vars DB_KEY=certs/client-key.pem \
--set-env-vars PRIVATE_IP=TRUE

gcloud functions deploy quickstart-function \
--gen2 \
--runtime nodejs18 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--set-env-vars PRIVATE_IP=TRUE

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Python

To deploy a gen2 function to Cloud Run functions, run the following gcloud functions deploy command. Before running the command, update the following variables:

YOUR_REGION_NAME with your region name
PRIVATE_IP_ADDRESS with the private IP address of your Cloud SQL instance displayed on the Cloud SQL instances page in the Google Cloud console
DB_PASS with the password of the quickstart-user that you created in the previous Create a user quickstart step
INSTANCE_CONNECTION_NAME with your instance's Connection name that appears on the Cloud SQL instances page in the Google Cloud console

Run the gcloud functions deploy command as follows to create Cloud Run functions:

gcloud functions deploy quickstart-function \
--gen2 \
--runtime python310 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars INSTANCE_HOST=PRIVATE_IP_ADDRESS \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_PORT=5432 \
--set-env-vars DB_ROOT_CERT=certs/server-ca.pem \
--set-env-vars DB_CERT=certs/client-cert.pem \
--set-env-vars DB_KEY=certs/client-key.pem \
--set-env-vars PRIVATE_IP=TRUE

gcloud functions deploy quickstart-function \
--gen2 \
--runtime python310 \
--trigger-http \
--allow-unauthenticated \
--entry-point votes \
--region YOUR_REGION_NAME \
--vpc-connector=quickstart-connector \
--vpc-egress=all-traffic \
--set-env-vars DB_NAME=quickstart-db \
--set-env-vars DB_USER=quickstart-user \
--set-env-vars DB_PASS=DB_PASS \
--set-env-vars INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--set-env-vars PRIVATE_IP=TRUE

When you see a confirmation message that Cloud Run functions has been deployed, click the Service URL link in the message to see the deployed Cloud Run functions sample app connected to Cloud SQL.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Select the quickstart-instance instance to open the Instance details page.
In the icon bar at the top of the page, click Delete.
In the Delete instance dialog box, type quickstart-instance, and then click Delete to delete the instance.
In the Google Cloud console, go to the Cloud Run functions page.

Go to Cloud Run functions
Select the checkbox next to the quickstart-function service name.
Click Delete at the top of the Cloud Run functions page.

Optional cleanup steps

If you're not using the Cloud SQL client role that you assigned to the Compute Engine service account, you can remove it.

In the Google Cloud console, go to the IAM page.

Go to IAM
Click the edit icon (which looks like a pencil) for the IAM account named Compute Engine default service account.
Delete the Cloud SQL client role.
Click Save.

If you're not using the APIs that were enabled as part of this quickstart, you can disable them.

APIs that were enabled within this quickstart:
- Compute Engine API
- Cloud SQL Admin API
- Cloud Run API
- Container Registry API
- Cloud Build API

In the Google Cloud console, go to the APIs page.

Go to APIs
Select any API that you would like to disable and then click the Disable API button.

What's next

Based on your needs, you can learn more about creating Cloud SQL instances.

You also can learn about creating PostgreSQL users and databases for your Cloud SQL instance.

For more information about pricing, see Cloud SQL for PostgreSQL pricing.

Learn more about:

Configuring your Cloud SQL instance with a public IP address.
Configuring your Cloud SQL instance with a private IP address.

Additionally, you can learn about connecting to a Cloud SQL instance from other Google Cloud applications: