Configuring instances for IAM database authentication

MySQL | PostgreSQL | SQL Server

This page has procedures for creating or editing Cloud SQL instances to allow users or service accounts that are configured to use Cloud SQL IAM database authentication. To learn more about the Cloud SQL IAM integration, see the Overview of Cloud SQL IAM database authentication.

Before you begin

Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to the project selector page
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Install and initialize the Cloud SDK.
Make sure you have the Cloud SQL Admin and Compute Viewer roles on your user account.
Go to the IAM page

Learn more about roles and permissions.

Configuring new instances for IAM database authentication

To configure a new instance that uses Cloud SQL IAM database authentication:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click Create instance.
Select PostgreSQL and click Next.
Enter a name for the Instance ID. Do not include sensitive or personally identifiable information in your instance name; it is externally visible. You do not need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files). Note: You cannot reuse an instance name for up to a week after you have deleted the instance.
Enter a password for the postgres user.
Under Location, select the region and zone for your instance. Place your instance in the same region as the resources that access it. The region you select can't be modified in the future. Usually, you don't need to specify a zone.
Note: If there is a resource location constraint on your organization policy, you must select one of the regions that the organization policy allows. If a constraint exists, you see a message about Resource Location Restriction in the Location section. Learn more.
Select a database version.
Under Configuration options, expand Flags.
Select + Add item.
Enter cloudsql.iam_authentication for the flag name. Make sure that On is selected for this flag.
Configure other instance settings, as needed. For more information about settings, see Settings.
Click Create.

gcloud

Run gcloud sql instances create with the cloudsql.iam_authentication database flag set to on.

Replace the following:

INSTANCE_NAME: The name of the new instance.
POSTGRES_VERSION: The PosgreSQL version (such as POSTGRES_9_6, POSTGRES_10, POSTGRES_11, or POSTGRES_12).
NUMBER_OF_CORES: The number of cores in the machine.
AMOUNT_OF_MEMORY: The amount of memory in the machine. A size unit should be provided (such as, 3072MiB or 9GiB).
ZONE: Preferred Compute Engine zone (such as us-central1-a, or us-central1-b).
PASSWORD: Create a password for the root user.

gcloud sql instances create INSTANCE_NAME
--database-version=POSTGRES_VERSION --cpu=NUMBER_OF_CORES
--memory=AMOUNT_OF_MEMORY --zone=ZONE_NAME
--root-password=PASSWORD --database-flags cloudsql.iam_authentication=on

REST v1beta4

Do not include sensitive or personally identifiable information in your instance name; it is externally visible.

You do not need to include the project ID in the instance name. The project ID is included automatically where appropriate (for example, in the log files).

Before using any of the request data below, make the following replacements:

instance-id: The desired instance ID
region: The desired region, such as us-east-1
project-id: Your project ID
location-id: The location ID
database-version: Enum string of the database version. For example: POSTGRES_12
password: The password for the root user
machine-type: Enum string of the machine (tier) type, as: db-custom-[CPUS]-[MEMORY_MBS]

HTTP method and URL:

POST https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

Request JSON body:

{
  "name": "instance-id",
  "region": "region",
  "databaseVersion": "database-version",
  "rootPassword": "password",
  "settings": {
    "tier": "machine-type",
    "backupConfiguration": {
      "enabled": true
    },
    "databaseFlags": [
      {
        "name": "cloudsql.iam_authentication",
        "value": "on"
      }
    ]
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The command below assumes that you have used either gcloud init or gcloud auth login to authenticate gcloud with your user account. You can check the currently active account by executing gcloud auth list.

Save the request body in a file called request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method POST `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-01T19:13:21.834Z",
  "operationType": "CREATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

To see how the underlying REST API request is constructed for this task, see the APIs Explorer on the instances:insert page.

Configuring existing instances for Cloud SQL IAM database authentication

To configure IAM database authentication on an existing instance:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click the name of the instance you want to edit.
Click EDIT.
Under Configuration options, expand Flags.
Select + Add item.
Enter cloudsql.iam_authentication for the flag name. Make sure that On is selected for this flag.
Configure other instance settings, as needed. For more information about settings, see Settings.
Click Save.

gcloud

For information about installing and getting started with the gcloud command-line tool, see Installing Cloud SDK. For information about starting Cloud Shell, see the Cloud Shell documentation.

Run gcloud sql instances patch with the cloudsql.iam_authentication database flag set to on.

Replace the following:

INSTANCE_NAME: The name of the new instance.

gcloud sql instances patch INSTANCE_NAME --database-flags
    cloudsql.iam_authentication=on

REST v1beta4

Before using any of the request data below, make the following replacements:

project-id: Your project ID
location-id: The location ID
instance-id: The desired instance ID
region: The desired region
database-version: Enum string of the database version. For example: POSTGRES_12
password: The password for the root user
machine-type: Enum string of the machine (tier) type, as: db-custom-[CPUS]-[MEMORY_MBS]

HTTP method and URL:

POST https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

Request JSON body:

{
  "name": "instance-id",
  "region": "region",
  "databaseVersion": "database-version",
  "rootPassword": "password",
  "settings": {
    "tier": "machine-type",
    "backupConfiguration": {
      "enabled": true
    }
    "databaseFlags":
    [
      {
        "name": "cloudsql.iam_authentication",
        "value": "on"
      }
    ]
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method POST `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/locations/location-id/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-01T19:13:21.834Z",
  "operationType": "CREATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

What's next

Learn more about IAM database authentication.
Learn how to configure read replica logins for IAM database authentication.
Learn how to create users and service accounts that use Cloud SQL IAM database authentication.
Learn how to grant login access to a user or service account.
Learn how to log in to a Cloud SQL database.
Learn how to manage users and service accounts for IAM database authentication.