IAM authentication

Google Cloud offers Identity and Access Management (IAM), which lets you give access to specific Google Cloud resources and prevent unwanted access to other resources. This page describes how Cloud SQL is integrated with IAM . For a detailed description of Google Cloud IAM, see IAM documentation.

Cloud SQL provides a set of predefined roles designed to help you control access to your Cloud SQL resources. You can also create your own custom roles, if the predefined roles don't provide the sets of permissions you need. In addition, the legacy basic roles (Editor, Viewer, and Owner) are also still available to you, although they don't provide the same fine-grained control as the Cloud SQL roles. In particular, the basic roles provide access to resources across Google Cloud, rather than just for Cloud SQL. For more information about basic Google Cloud roles, see Basic roles.

You can set an IAM policy at any level in the resource hierarchy: the organization level, the folder level, or the project level. Resources inherit the policies of all of their parent resources.

IAM references for Cloud SQL

• Required permissions for common tasks in the Google Cloud console
• Required permissions for gcloud sql commands
• Required permissions for Cloud SQL Admin API methods
• Predefined Cloud SQL IAM roles
• Permissions and their roles
• Custom roles

IAM authentication concepts

When using IAM authentication, permission to access a resource (a Cloud SQL instance) isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to principals. For more information, see the IAM overview.

Administrators who have users log in through IAM database authentication can use IAM to centrally manage access control to their instances using IAM policies. IAM policies involve the following entities:

• Principals. For more information, see Concepts related to identity.
• Roles. For IAM database authentication, a principal requires the cloudsql.instances.login permission to log in to an instance. To get this permission, you bind to either the predefined Cloud SQL Instance User role or a custom role that bundles the permission. For more information about IAM roles, see Roles.
• Resource. The resources that principals access are Cloud SQL instances. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Cloud SQL instances in the project.