This page has procedures for creating or editing Cloud SQL instances to allow users or service accounts that are configured to use Cloud SQL IAM database authentication. To learn more about the Cloud SQL IAM integration, see the Overview of Cloud SQL IAM database authentication.
A newly-created instance has a postgres database.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
- Install and initialize the Google Cloud CLI.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
- Install and initialize the Google Cloud CLI.
-
Make sure you have the Cloud SQL Admin and Compute Viewer roles on
your user account.
Learn more about roles and permissions.
Configure new instances for IAM database authentication
Cloud SQL uses a flag to enable and disable IAM user connections on an instance. In this procedure, you enable that flag.
To configure a new instance that uses Cloud SQL IAM database authentication:
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- Click Create instance.
- Select PostgreSQL and click Next.
- Enter a name for the Instance ID. Do not include sensitive or personally identifiable information in your instance name; it is externally visible. You do not need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files).
- Enter a password for the root user.
- In the Location section, select the region and zone for your instance. Place your instance in the same region as the resources that access it. The region you select can't be modified in the future. Usually, you don't need to specify a zone.
- Select a database version.
- In the Configuration options section, expand Flags.
- Select + Add item.
- Enter
cloudsql.iam_authenticationfor the flag name. Make sure that On is selected for this flag. - Configure other instance settings, as needed. For more information about settings, see Settings.
- Click Create.
gcloud
Run
gcloud sql instances create
with the -database-flags parameter set to
cloudsql.iam_authentication=on.
Replace the following:
- INSTANCE_NAME: The name of the new instance.
- POSTGRES_VERSION: The PosgreSQL version (such as POSTGRES_9_6, POSTGRES_10, POSTGRES_11, or POSTGRES_12).
- NUMBER_OF_CORES: The number of cores in the machine.
- AMOUNT_OF_MEMORY: The amount of memory in the machine. A size unit should be provided (such as, 3072MiB or 9GiB).
- ZONE: Preferred Compute Engine zone (such as us-central1-a, or us-central1-b).
- PASSWORD: Create a password for the root user.
gcloud sql instances create INSTANCE_NAME \ --database-version=POSTGRES_VERSION \ --cpu=NUMBER_OF_CORES \ --memory=AMOUNT_OF_MEMORY \ --zone=ZONE_NAME \ --root-password=PASSWORD \ --database-flags=cloudsql.iam_authentication=on
REST v1beta4
Do not include sensitive or personally identifiable information in your instance name; it is externally visible.
You do not need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files).
Before using any of the request data, make the following replacements:
- instance-id: The desired instance ID
- region: The desired region, such as us-east-1
- project-id: Your project ID
- location-id: The location ID
- database-version: Enum string of the database version.
For example:
POSTGRES_12 - password: The password for the root user
- machine-type: Enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances
Request JSON body:
{
"name": "instance-id",
"region": "region",
"databaseVersion": "database-version",
"rootPassword": "password",
"settings": {
"tier": "machine-type",
"backupConfiguration": {
"enabled": true
},
"databaseFlags": [
{
"name": "cloudsql.iam_authentication",
"value": "on"
}
]
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-01T19:13:21.834Z",
"operationType": "CREATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
Configure existing instances for Cloud SQL IAM database authentication
To configure IAM database authentication on an existing instance:
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Click Edit.
- In the Configuration options section, expand Flags.
- Select + Add item.
- Enter
cloudsql.iam_authenticationfor the flag name. Make sure that On is selected for this flag. - Configure other instance settings, as needed. For more information about settings, see Settings.
- Click Save.
gcloud
For information about installing and getting
started with the gcloud command-line tool, see
[Installing gcloud CLI](/sdk/docs/install). For information about starting
Cloud Shell, see the
[Cloud Shell documentation](/shell/docs/starting-cloud-shell).
For this procedure, use
gcloud
sql instances patch.
Replace the following:
- INSTANCE_NAME: The name of the new instance.
gcloud sql instances patch INSTANCE_NAME \ --database-flags=cloudsql.iam_authentication=on
REST v1beta4
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- location-id: The location ID
- instance-id: The desired instance ID
- region: The desired region
- database-version: Enum string of the database version.
For example:
POSTGRES_12 - password: The password for the root user
- machine-type: Enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances
Request JSON body:
{
"name": "instance-id",
"region": "region",
"databaseVersion": "database-version",
"rootPassword": "password",
"settings": {
"tier": "machine-type",
"backupConfiguration": {
"enabled": true
}
"databaseFlags":
[
{
"name": "cloudsql.iam_authentication",
"value": "on"
}
]
}
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-01T19:13:21.834Z",
"operationType": "CREATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
What's next
- Learn more about IAM database authentication.
- Learn how to configure read replica logins for IAM database authentication.
- Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
- Learn how to log in to a Cloud SQL database using IAM database authentication.
- Learn how to manage users and service accounts for IAM database authentication.