This page discusses the two levels of access control for Cloud SQL instances. You must configure both levels of access control before you can manage your instance.
Levels of access control
Configuring access control involves controlling who or what can access the instance. Access control occurs on two levels:
- Instance-level access
- Instance-level access authorizes access to your Cloud SQL instance from an application or client (running on an App Engine standard environment or externally) or from another Google Cloud service, such as Compute Engine.
- Database access
- Database access uses server-level roles to control which SQL Server users can access the data in your instance.
Instance-level access
How you configure instance-level access depends on where you are connecting from:| Connection source | Access configuration options | More information |
|---|---|---|
| Google Kubernetes Engine |
|
|
| App Engine standard environment |
|
|
| flexible environment |
|
|
sqlcmd client |
|
|
| External applications |
|
|
| Cloud Run functions |
|
|
| Cloud Run |
|
|
| Google Kubernetes Engine |
|
Database access
After a user or application connects to a database instance, the user or application must log in with a user or service account. As part of creating a Cloud SQL instance, you set up the default user (root) account. You can also create more users to give you finer-grained control over access to your instance.
For more information, see SQL Server users and Creating and managing SQL Server users.
What's next
- Learn more about how Cloud SQL works with SQL Server users.
- Learn more about SQL Server roles.
- Learn more about your options for connecting from an external application.
- Learn about controlling who can manage your Google Cloud Platform project.