IAM authentication

Google Cloud offers Identity and Access Management (IAM), which lets you give access to specific Google Cloud resources and prevent unwanted access to other resources. This page describes how Cloud SQL is integrated with IAM . For a detailed description of Google Cloud IAM, see IAM documentation.

Cloud SQL provides a set of predefined roles designed to help you control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles don't provide the sets of permissions you need. In addition, the legacy basic roles (Editor, Viewer, and Owner) are also still available to you, although they don't provide the same fine-grained control as the Cloud SQL roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Cloud SQL. For more information about basic Google Cloud roles, see Basic roles.

You can set an IAM policy at any level in the resource hierarchy: the organization level, the folder level, or the project level. Resources inherit the policies of all of their parent resources.

IAM references for Cloud SQL

• Required permissions for common tasks in the Google Cloud console
• Required permissions for gcloud sql commands
• Required permissions for Cloud SQL Admin API methods
• Predefined Cloud SQL IAM roles
• Permissions and their roles
• Custom roles

IAM authentication concepts

When using IAM authentication, permission to access a resource (a Cloud SQL instance) isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.

IAM policies involve the following entities:

• Principals. In Cloud SQL, you can use two types of principals: a user account, and a service account (for applications). For more information, see Concepts related to identity.
• Roles. A role is a collection of permissions. You can grant roles to principals to provide them with the privileges required to accomplish specific tasks. For more information about IAM roles, see Roles.
• Resource. The resources that principals access are Cloud SQL instances. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Cloud SQL instances in the project.