This page describes how Cloud SQL works with PostgreSQL users and roles. PostgreSQL roles enable you to control what kind of access and capabilities a user has when they access your PostgreSQL instance.
PostgreSQL roles and users
PostgreSQL roles can be a single role, or they can function as a group of roles.
A user is simply a role with the ability to login (the role has the
attribute). Because all roles created by Cloud SQL have the
attribute, Cloud SQL uses the terms "role" and "user" interchangeably.
However, if you create a role with the
psql client, it does not necessarily
All PostgreSQL users must have a password. You cannot login with a user that does not have a password.
Because Cloud SQL PostgreSQL is a managed service it restricts access to certain system procedures and tables that require advanced privileges. In Cloud SQL customers cannot create or have access to users with superuser attributes.
Default PostgreSQL users
When you create a new Cloud SQL for PostgreSQL instance, the default
postgres user is already created for you, though you must set its password.
postgres user is part of the
cloudsqlsuperuser role, and
has the following attributes (privileges):
LOGIN. It does not have the
cloudsqlimportexport user is created with the minimal set of
privileges needed for CSV import/export operations. You have the option to
create your own users to perform these operations but if you don't, the default
cloudsqlimportexport user will be used. The
cloudsqlimportexport user is
a system user and customers cannot directly use it.
Other PostgreSQL users
You can create other PostgreSQL users or roles. All users you
create using Cloud SQL are created as part of the
role, and have the same set of attributes as the
LOGIN. You can change the attributes of any user by using the
ALTER ROLE command.
If you create a new user with the
psql client, you can choose
to associate it with a different role, or give it different attributes.