Cloud SQL for PostgreSQL error messages

This page discusses some of the error messages encountered in Cloud SQL.


Error messages in Cloud SQL come from many sources and appear in many places. Some error messages come from the database engines themselves, some from the Cloud SQL service, some from client applications, and some are returned by calls to the Cloud SQL Admin API.

This page includes some of the most common errors seen in Cloud SQL. If you do not find the error code or message you are looking for here, you can look for source reference material here:

If you don't find the reference material for the error message that you're seeing, you can also search in some of these places where other users may have relevant experience:

Operational errors

A | B | C | D | E | F | G | I | L | M | N | O | P | Q | R | S | T | U | W

Error message Troubleshooting
Access denied for user 'XXX'@'XXX' (using password: XXX) There could be several causes, including:
  • The username (or password) is incorrect.
  • The user is connecting from a URL other than @XXX.
  • The user doesn't have the correct privileges for the database they're trying to connect to.

Try these things ...

  • Verify the username and corresponding password.
  • Check the origin of the connection to see if it matches the URL where the user has access privileges.
  • Check the user's grant privileges in the database.
Allocated IP range not found in network. VPC peerings were not updated after an allocated range was modified or removed.

You need to modify the private connection. Use the following command, and make sure to use the --force argument:

gcloud services vpc-peerings update \
--network=VPC_NETWORK \
Error message Troubleshooting
Bad request. This message can have many causes. Illegal Argument is one of the most common. In this case, the request is using either the wrong argument or an invalid value for the argument. For the many other causes, the error message might contain a useful hint.

For Illegal Argument, check the request to make sure each argument is permissible and each value for the argument is valid. For all other causes, check the log files to see if there is more information there.

Error message Troubleshooting
Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection. VPC peerings were not updated after an allocated range was modified or removed.

You need to modify the private connection. Use the following command, and make sure to use the --force argument:

gcloud services vpc-peerings update \
--network=VPC_NETWORK \
Connection reset by peer.

If you're trying to perform an export and Cloud Storage doesn't receive any data within a certain time frame, then the connection resets.

Try a manual export using pg_dump.

Constraints/sql.restrictAuthorizedNetworks. The cloning operation is blocked by the Authorized Networks configuration. Authorized Networks are configured for public IP addresses in the Connectivity section of the Google Cloud console, and cloning isn't permitted due to security considerations.

Remove all Authorized Networks entries from the Cloud SQL instance if you can. Otherwise, create a replica without any Authorized Networks entries.

Error message Troubleshooting
Database user does not exist. gcloud sql connect --user only works with the default postgres user.

Connect with the default user and then change users.

Disk is full. The primary instance disk size can become full during replica creation.

Edit the primary instance to upgrade it to a larger disk size.

Error message Troubleshooting
Failed to create subnetwork. No more available addresses in the IP range.

Couldn't find free blocks in allocated IP ranges. Please allocate new ranges for this service provider.

There are no more available addresses in the allocated IP range.

Consider these possible scenarios:

  • The size of the allocated IP range for the private service connection is smaller than /24.
  • The size of the allocated IP range for the private service connection is too small for the number of Cloud SQL instances.
  • The requirement on the size of allocated IP range will be larger if instances are created in multiple regions. See allocated range size

For each of the above scenarios, you can elect to either expand the existing or allocate an additional IP range to the private service connection.

If you're allocating a new range, take care to not create an allocation that overlaps with any existing allocations.

After creating a new IP range, update the VPC peering with the following command:

gcloud services vpc-peerings update \
--project=PROJECT_ID \

If you're expanding an existing allocation, take care to only increase the allocation range and not decrease it. For example, if the original allocation was, make the new allocation at least

In general, if starting from a /24 allocation, decrementing the /mask by 1 for each condition (additional instance type group, additional region) is a good rule of thumb. For example, if trying to create both instance type groups on the same allocation, going from /24 to /23 is enough.

After expanding an existing IP range, update the vpc peering with following command:

gcloud services vpc-peerings update \
--network=VPC_NETWORK \
--project=PROJECT_ID \
Error message Troubleshooting
(gcloud.sql.connect) It seems your client does not have ipv6 connectivity and the database instance does not have an ipv4 address. You're trying to connect to your private IP instance using Cloud Shell.

Connecting from Cloud Shell to an instance with only a private IP address isn't currently supported.

Error message Troubleshooting
Internal error. The project could be missing the Service Networking service account required for this feature.

To repair service permissions, disable the Service Networking API, wait five minutes and then re-enable it.

Invalid request: Incorrect Service Networking config for instance. Service Networking API isn't enabled in the project.

Enable the Service Networking API in your project. If you see this error when you're trying to assign a private IP address to a Cloud SQL instance, and you're using a Shared VPC, you also need to enable the Service Networking API for the host project.

Error message Troubleshooting
Network association failed. The Service Networking API isn't enabled in the project.

Enable the Service Networking API in your project. If you see this error when you're trying to assign a private IP address to a Cloud SQL instance, and you're using a Shared VPC, you also need to enable the Service Networking API for the host project.

Error message Troubleshooting
Operation failed because another operation was already in progress. Most operations in Cloud SQL are synchronous. You can run only one at a time.

Wait for the previous operation to finish before beginning another.

Operation isn't valid for this instance. This error is returned from an API call to instances.restoreBackup, and it means that you cannot restore from backup to an instance with a storage size (XX GB) smaller than the backup size (YY GB).

Edit the target instance to increase its storage size.

Error message Troubleshooting
Password authentication failed for user "postgres". When you create a new Cloud SQL for PostgreSQL instance, the default admin user postgres is created but not the password. You need to set a password for this user before the user can log in.

Error message Troubleshooting
Quota exceeded. You reached the limit of your per-minute or daily quota. Review the quotas and limits for Cloud SQL.

Request an increase to your quotas from the Google Cloud console.

Error message Troubleshooting
Remaining connection slots are reserved. The maximum allowed connections have been reached.

Increase the value of the max_connections flag. See Configuring database flags.

Request is missing a valid API key. You might not have a valid service account key JSON file, or it might not be stored in the expected location.

Verify that you have a valid service account key JSON file in the location stored in the GOOGLE_APPLICATION_CREDENTIALS environment variable and that the variable points to the correct location.

Error message Troubleshooting
SSL error: invalid padding. Server certificate error.

Create a new server certificate and rotate.

System error occurred.
  • The user might not have all the Cloud Storage permissions it needs.
  • The database table might not exist.

Try these things ...

  • Check that you have at least WRITER permissions on the bucket and READER permissions on the export file. For more information on configuring access control in Cloud Storage, see Create and Manage Access Control Lists
  • Ensure the table exists. If the table does exist, confirm that you have the correct permissions on the storage bucket.
Error message Troubleshooting
Table definition changed. During the export process a change occurred in the table.

The dump transaction can fail if you use the following statements during the export operation:


Remove any of these statements from the dump operation.

Temporary file size exceeds temp_file_limit. The temp_file_limit flag is set too low for your database usage.

Increase the temp_file_limit size. See Configuring database flags.

(Timeout) during export. CSV and SQL formats do export differently. The SQL format includes the entire database and is likely to take longer to complete.

Use the CSV format and run multiple, smaller export jobs to reduce the size and length of each operation.

Too many connections. Setting the max_connections flag value too high can cause this error. This can also be caused by enabling a flag out of sequence.

Lower the max_connections flag value, or contact customer support to request a flag removal followed by a hard drain. This forces the instance to restart on a different host with a fresh configuration, without the flag or setting.

Error message Troubleshooting
Unauthorized to connect. There can be many causes because authorization occurs at many levels:
  • At the database level, the database user must exist and its password match
  • At the project level, the user might not have the correct IAM permissions, including the or cloudsql.instances.connect permissions.
  • At the network level, if the Cloud SQL instance is using public IP the connection's source IP must be in an authorized network.

Try these things ...

  • Ensure the user exists and its password matches.
  • Assign the Service Usage Consumer role to the user account. This role includes the permission
  • If using public IP, ensure the source IP is in an authorized network.
Error message Troubleshooting
x509: certificate isn't valid for any names. Known issue: The Cloud SQL Proxy Dialer isn't compatible with Go 1.15 at this time.

Until fixed, see this discussion on GitHub, which includes a workaround.

Unknown errors

The following table shows some known cases where an Unknown Error can occur, and lists specific remedies where applicable. However, this is not a complete list. If you don't find your case in the table, check with the public issue tracker for Cloud SQL. If you don't find the issue there, consider submitting a report, or reviewing other support options.

Operation The issue might be... Things to try...
Add user If the user already exists in the database, this error can occur when you try to add them. Check to make sure the user doesn't already exist in the database.
Backup If you see this during automated or manual backups, it's likely the instance disk is full. If the temporary file size is taking up too much space, you can restart the instance to remove the file and free up the disk space. Otherwise, you might need to upgrade your instance to a larger disk size.
Clone This can occur when there is a shortage of resources in the selected zone. Try another zone in the region, or wait and try again later.
Create instance
  • This can occur when you are trying to re-use the same name as a recently-deleted instance.
  • It can also be caused by intermittent connectivity issues.
  • The logs might show that the Service Networking API is not enabled for the project.
  • The error has also been seen when trying to create multiple instances in parallel. For example, Terraform scripts make this attempt possible.
  • Another cause can be that a specific resource is exhausted or a quota limit has been exceeded. Look in the logs for an entry like Quota 'INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK' exceeded. Limit: 100.0 globally
  • This error can occur if subnet creation fails when there are no more available addresses in the IP range.
  • Instance names cannot be re-used until about a week after deletion.
  • In the case of intermittent connectivity issues, the only remedy is to try again.
  • Enable the Service Networking API for the project.
  • Parallel instance creation scripts will only succeed in creating one of the instances. Modify the script to wait until each instance create operation is complete before continuing to the next one.
  • Allocate new ranges.
Create replica It's likely that a more specific error is in the log files. Inspect the logs in Cloud Logging to find the actual error.

If the error is set Service Networking service account as servicenetworking.serviceAgent role on consumer project, disable and re-enable the Service Networking API. This action creates the service account necessary to continue with the process.

If the error is The instance creation failed due to a permission error with the CMEK key defined, review the key settings and location.

Export If you see this while trying to export a database to a Cloud Storage bucket, the transfer may be failing due to a bandwidth issue. The Cloud SQL instance may be located in a different region than the Cloud Storage bucket. Reading and writing data from one continent to another involves a lot of network usage, and can cause intermittent issues like this.
Failover (automatic) An automatic failover operation can produce this error message when the service detects that the primary instance is still responsive. There is nothing to be done in this case. The failover won't occur because it isn't needed.
Import The import file may contain statements which require the superuser role. Edit the file to remove any statements which require the superuser role.

Cloud SQL also uses some third-party binaries (for example, mysqld), which can generate unknown error messages. Such errors are internal to the third-party binaries and are outside the scope of Cloud SQL. However, sometimes a more specific error can be found in the Cloud SQL log files at around the same time.

Also, sometimes it is an error code that is unknown. In this case, the complete message can be Unknown Error Code.