This page summarizes the Cloud SQL Language Connectors and how to use them with your instances.
Cloud SQL Language Connectors are libraries that provide encryption and IAM authorization when connecting to a Cloud SQL instance. Cloud SQL Language Connectors create authorized connections to the proxy-side server on behalf of a user's application and pass that connection to the application's database driver. They don't provide a network path to a Cloud SQL instance if one is not already present.
Cloud SQL Language Connectors use a client-side component to connect to a proxy server on the Cloud SQL instance. The connector creates a temporary certificate that authorizes the holder to connect to the server-side proxy. The server-side proxy limits access to the Cloud SQL database by requiring a valid TLS certificate in order to connect.
Cloud SQL supports the following Cloud SQL Language Connectors:
- Cloud SQL Java connector
- Cloud SQL Python connector
- Cloud SQL Go connector
- Cloud SQL Node.js connector
Cloud SQL recommends using Cloud SQL Language Connectors to connect to your Cloud SQL instance. You can also connect to a Cloud SQL instance using a database client or the Cloud SQL Auth Proxy. For more information about connecting to a Cloud SQL instance, see About connection options.
Requirements
If your Cloud SQL instance uses
shared certificate authority (CA)
as its serverCaMode
(Preview), then on the client side,
make sure that the Cloud SQL Language Connectors you're using meet
their version requirements:
- Cloud SQL Java connector: v1.21.0 or later
- Cloud SQL Go connector: v1.12.0 or later
- Cloud SQL Node.js connector: v1.4.0 or later
Benefits of Cloud SQL Language Connectors
Cloud SQL Language Connectors provide the following benefits with connecting to a Cloud SQL instance:
- IAM authorization: Uses identity and access management (IAM) permissions to control who or what can connect to your Cloud SQL instances.
- Convenience: Removes the requirement to manage SSL certificates, configure firewall rules, or enable authorized networks.
Enforce the use of Cloud SQL Language Connectors
By using connector enforcement, you can enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to Cloud SQL instances. With connector enforcement, Cloud SQL rejects direct connections to the database.
If you're using a Private Service Connect-enabled instance, then there's a limitation. If the instance has connector enforcement enabled, then you can't create read replicas for the instance. Similarly, if the instance has read replicas, then you can't enable connector enforcement for the instance.
For more information about how to enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to an instance, see Connect using Cloud SQL Language Connectors.
What's next
- Connect using the Cloud SQL Java Connector.
- Connect using the Cloud SQL Python Connector.
- Connect using the Cloud SQL Go Connector.
- Connect using the Cloud SQL Node.js Connector.
- Learn more about the Cloud SQL Auth Proxy.