This page provides information about IAM roles and permissions and how they are used when connecting to a Cloud SQL instance.
Introduction
Access control for Google CloudAPIs encompasses authentication, authorization, and auditing. Authentication determines who you are. Application developers use IAM service and user accounts for authentication in Google Cloud. Accounts use roles, which include sets of permissions. See Project access control for a complete list of all the roles and permissions available in Cloud SQL.
When you use an account to connect to a Cloud SQL instance, the account must have the Cloud SQL > Client role, which includes the following permissions required for connecting:
roles/cloudsql.instances.connectroles/cloudsql.instances.get
You can add roles to an account in the Console on the IAM & Admin > IAM page, and see which permissions belong to which roles on the IAM & Admin > Roles page.
Cloud SQL uses service accounts for authentication between Cloud SQL
and other Google Cloud products. Service accounts provide credentials in
JSON format, which you can download from the Console and use for authentication
in various scenarios, such as connecting from an application running in a
docker container.
Cloud SQL roles and permissions with Cloud SQL Proxy
If you are connecting to a Cloud SQL instance from a Compute Engine instance using Cloud SQL Proxy, you can use the default Compute Engine service account associated with the Compute Engine instance.
As with all accounts connecting to a Cloud SQL instance, the service account must have the Cloud SQL > Client role.
Cloud SQL roles and permissions with serverless options
You use a service account to authorize access from these options. The service account authorizes access to all Cloud SQL in a specific project. When you create an application or a Cloud Functions, this service creates this account for you. You can find the account on the IAM & Admin > IAM page, with the appropriate suffix:
| Serverless option | Service account suffix |
|---|---|
| App Engine | @gae-api-prod.google.com.iam.gserviceaccount.com |
| Cloud Functions | @gcf-admin-robot.iam.gserviceaccount.com |
| Cloud Run | compute@developer.gserviceaccount.com |
As with all accounts connecting to a Cloud SQL instance, the service account must have the Cloud SQL > Client role.
Cloud SQL roles and permissions with Cloud Storage
The import and export features in Cloud SQL work together. Exports write to Cloud Storage and imports read from there. For this reason, the service account you use for these operations needs both read and write permissions to Cloud Storage:
- To export data to Cloud Storage, the Cloud SQL instance's service
account needs to have the
legacyBucketWriterCloud IAM role set in the project. - To import data from Cloud Storage, the Cloud SQL instance's
service account must have the
legacyBucketReaderCloud IAM role set in the project. - You can use the
gsutil iamcommand to grant these Cloud IAM roles to the service account for the bucket. - For help with setting Cloud IAM permissions, see Using Cloud IAM permissions.
- For more information, see Cloud Identity and Access Management for Cloud Storage.
Cloud SQL roles and permissions with other scenarios
Cloud SQL interacts with other Google Cloud products and tools. These interactions also require specific roles and permissions which can vary between scenarios. Cloud SQL documentation provides detailed information about these requirements for each case below:
To connect to a Cloud SQL instance from an application running in Google Kubernetes Engine, you will need to create a Secret for a service account's JSON key file.
What's next
- Learn more about instance access control
- Learn more about project access control