Manage users with IAM database authentication
This page describes how to add and manage users, service accounts, and groups toa Cloud SQL instance that uses IAM database authentication.
For more information about the IAM integration, seeIAM authentication.
Note: When managing access for users inexternal identity providers, replace instances of Google Account principal identifiers—likeuser:kiran@example.com,group:support@example.com, anddomain:example.com—with appropriateWorkforce Identity Federation principal identifiers.Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
- Make sure you have the Cloud SQL Admin role on your user account.
- Enable IAM database authentication on your Cloud SQL instance.
- Assign the necessary
cloudsql.instanceUserIAM role to IAM principals such asIAM users,service accounts, orgroups to log in to the Cloud SQL instance. - If you are adding an individual user or individual service account to the Cloud SQL instance, then you need to assign the IAM role individually to each user and service account.
- If you are adding a group, then you need to assign the IAM role to the group as the members of the group automatically inherit the IAM permissions associated with the IAM role. For more information about creating groups in Cloud Identity, seeCreate and manage Google groups in the Google Cloud console.
- You can grant the role on a project that contains Cloud SQL instances by using the IAM page of Google Cloud console, thegcloud CLI, Terraform, or the Cloud SQL Admin API. For more information, seeAdd an Add an IAM policy binding to a user, service account, or group.
- If you are using a service account, then make sure you have added aservice account for each service that requires access to databases in the project.
For more information about creating service accounts, seeCreate service accounts.
Add an IAM policy binding to a user, service account, or group
This procedure adds a policy binding to the IAM policy of aspecific project, given a project ID and the binding. The binding commandconsists of a member, a role, and an optional condition.
The database username must be the IAM user's email address, forexampleexample-user@example.com. It must be all lowercase and use quotesbecause it contains special characters (@ and.).
Console
In the Google Cloud console, go to theIAM page.
- ClickAdd.
- InNew members, enter an email address. You can add individual users, service accounts, or groups as members, but every project must have at least one principal as a member.
- InRole, navigate toCloud SQL and selectCloud SQL Instance User.
- Optional: If you want to connect using the Cloud SQL Auth Proxy or Cloud SQL Language Connectors, then also selectCloud SQL Client.
- ClickSave.
gcloud
Rungcloud projects add-iam-policy-binding with the--role=roles/cloudsql.instanceUser flag.
Add a policy binding to a user account
Replace the following:
- PROJECT_ID: the ID for the project you want to authorize the user to use.
- USERNAME: the email address for the user.
gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=user:USERNAME\--role=roles/cloudsql.instanceUser
If you want to connect using the Cloud SQL Auth Proxy or Cloud SQL Language Connectors, then rungcloud projects add-iam-policy-binding again with the--role=roles/cloudsql.client
Add a policy binding to a service account
Replace the following:
- PROJECT_ID: the ID for the project you want to authorize the user to use.
- SERVICE_ACCT: the email address for the service account.
gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=serviceAccount:SERVICE_ACCT\--role=roles/cloudsql.instanceUser
If you want to connect using the Cloud SQL Auth Proxy or Cloud SQL Language Connectors, then rungcloud projects add-iam-policy-binding again with the--role=roles/cloudsql.client
Add a policy binding to a Cloud Identity group
Replace the following:
- PROJECT_ID: The ID for the project that you want to authorize members of the group to use.
- GROUP_EMAIL_ADDRESS: The email address for the group. For example,
example-group@example.com.
gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=group:GROUP_EMAIL_ADDRESS\--role=roles/cloudsql.instanceUser
All members of the specified group are granted the Cloud SQL Instance User role and can log in to instances in this project.
If you want to connect using the Cloud SQL Auth Proxy or Cloud SQL Language Connectors, then rungcloud projects add-iam-policy-binding again with the--role=roles/cloudsql.client
Terraform
To add the required policy-binding to the IAM user and service accounts, use aTerraform resource.
data "google_project" "project" {}resource "google_project_iam_binding" "cloud_sql_user" { project = data.google_project.project.project_id role = "roles/cloudsql.instanceUser" members = [ "user:test-user@example.com", "serviceAccount:${google_service_account.default.email}" ]}resource "google_project_iam_binding" "cloud_sql_client" { project = data.google_project.project.project_id role = "roles/cloudsql.client" members = [ "user:test-user@example.com", "serviceAccount:${google_service_account.default.email}" ]}Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (alsocalled aroot module).
- InCloud Shell, create a directory and a new file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
- Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
Terraform
To add the required policy-binding to the IAM user and service accounts, use aTerraform resource.
data "google_project" "project" {}resource "google_project_iam_binding" "cloud_sql_user" { project = data.google_project.project.project_id role = "roles/cloudsql.instanceUser" members = [ "group:example-group@example.com" ]}Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (alsocalled aroot module).
- InCloud Shell, create a directory and a new file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
- Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
REST
Grant thecloudsql.instanceUser andcloudsql.client roles to both types of accounts by editing the JSON or YAML binding policy returned by theget-iam-policy command. Note that this policy change does not take effect until youset the updated policy.
{"role":"roles/cloudsql.instanceUser","members":["user:example-user@example.com""serviceAccount:service1@sql.iam.gserviceaccount.com""group:example-group@example.com"]}{"role":"roles/cloudsql.client","members":["user:example-user@example.com""serviceAccount:service1@sql.iam.gserviceaccount.com"]}
Add an individual IAM user or service account to a Cloud SQL instance
You must create a new user account for each individual IAM useror service account that you are adding to the Cloud SQL instance in order to access databases. If you are adding an IAM group, then you don't need to create a user account for each member of that group.
The database username must be theIAM user's email address and all lowercase.For example,example-user@example.com.
@ and the domain name from the user or service account's email address. For example,example-user@example.com becomesexample-user. For this reason, you can't add two IAM users or service accounts with the same username but different domain names to the same Cloud SQL instance.When using REST commands, the username must use quotes because it containsspecial characters (@ and.). Service accounts use the formatservice-account-name@project-id.iam.gserviceaccount.com.
To add an individual IAM user or service account, you add a newuser account and select IAM as the authentication method:
Console
Note: When you use the Google Cloud console to add a new IAM user or service account to a Cloud SQL instance, Cloud SQL automatically assigns thecloudsql.instanceUser IAM role to the user or service account for all instances in the project. The IAM policy binding is automatically added for the user or service account at the project level. You can view the assignment details for this IAM role in theIAM roles section of the Google Cloud console.In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- SelectUsers from the SQL navigation menu.
- ClickAdd user account. TheAdd a user account to instanceinstance_name tab opens.
- Click theCloud IAM radio button.
- Add the email address for the user or service account you want to add in thePrincipal field.
- ClickAdd. The user or service account is now in the user account list.
If the user doesn't have the
cloudsql.instanceUserIAM role assigned after user account creation, then a
icon appears next to the username.To give the user login permissions, click the icon, and then selectAdd IAM role. If the icon no longer appears, then the user account is assigned the IAM role that gives the login permission.
gcloud
Create a user account
Use the email, such asexample-user@example.com, to identify the user.
Replace the following:
- USERNAME: the email address for the user.
- INSTANCE_NAME: the name of the instance you want to authorize the user to access.
gcloudsqluserscreateUSERNAME\--instance=INSTANCE_NAME\--type=cloud_iam_user
Create a service account
Replace the following:
- SERVICE_ACCT: the email address of the service account.
- INSTANCE_NAME: the name of the instance you want to authorize the service account to access.
gcloudsqluserscreateSERVICE_ACCT\--instance=INSTANCE_NAME\--type=cloud_iam_service_account
Terraform
To add IAM user and service accounts on an instance with IAM database authentication enabled,use aTerraform resource.
resource "google_sql_database_instance" "default" { name = "mysql-db-auth-instance-name-test" region = "us-west4" database_version = "MYSQL_8_0" settings { tier = "db-f1-micro" database_flags { name = "cloudsql_iam_authentication" value = "on" } }}# Specify the email address of the IAM user to add to the instance# This resource does not create a new IAM user account; this account must# already existresource "google_sql_user" "iam_user" { name = "test-user@example.com" instance = google_sql_database_instance.default.name type = "CLOUD_IAM_USER"}# Create a new IAM service accountresource "google_service_account" "default" { account_id = "cloud-sql-mysql-sa" display_name = "Cloud SQL for MySQL Service Account"}# Specify the email address of the IAM service account to add to the instanceresource "google_sql_user" "iam_service_account_user" { name = google_service_account.default.email instance = google_sql_database_instance.default.name type = "CLOUD_IAM_SERVICE_ACCOUNT"}Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (alsocalled aroot module).
- InCloud Shell, create a directory and a new file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
- Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
REST v1
Create a user account
Before using any of the request data, make the following replacements:
- PROJECT_ID: the project ID
- INSTANCE_ID: the instance ID for the instance you are adding the user to
- USERNAME: the email address for the user
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{ "name": "USERNAME", "type": "CLOUD_IAM_USER"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-02-07T22:44:16.656Z", "startTime": "2020-02-07T22:44:16.686Z", "endTime": "2020-02-07T22:44:20.437Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}Create a service account
Before using any of the request data, make the following replacements:
- SERVICE_ACCT: the service account email
- PROJECT_ID: the project ID
- INSTANCE_ID: the instance ID for the instance you are adding the service account to
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{ "name": "SERVICE_ACCT", "type": "CLOUD_IAM_SERVICE_ACCOUNT"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{"kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-11-20T04:08:00.211Z", "startTime": "2020-11-20T04:08:00.240Z", "endTime": "2020-11-20T04:08:02.003Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}REST v1beta4
Create a user account
Before using any of the request data, make the following replacements:
- PROJECT_ID: the project ID
- INSTANCE_ID: the instance ID for the instance you are adding the user to
- USERNAME: the email address for the user
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{ "name": "USERNAME", "type": "CLOUD_IAM_USER" }To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-02-07T22:44:16.656Z", "startTime": "2020-02-07T22:44:16.686Z", "endTime": "2020-02-07T22:44:20.437Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}Create a service account
Before using any of the request data, make the following replacements:
- SERVICE_ACCT: the service account email
- PROJECT_ID: the project ID
- INSTANCE_ID: the instance ID for the instance you are adding the service account to
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{ "name": "SERVICE_ACCT", "type": "CLOUD_IAM_SERVICE_ACCOUNT"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{"kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-11-20T04:08:00.211Z", "startTime": "2020-11-20T04:08:00.240Z", "endTime": "2020-11-20T04:08:02.003Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}Add an IAM group to a Cloud SQL instance
To useIAM group authentication and add an IAM group to a Cloud SQL instance, use one of the procedures in this section. After you add the IAM group, you don't need to add the individual group members to the instance. For more information, seeAdd members of a group to a Cloud SQL instance automatically.
IAM group names have the same length limitations asMySQL usernames and can only be 32 characters long.
If you have an IAM group with a name that exceeds a database engine's username length limitation, then you can still use it for IAM group authentication by nesting it under a parent IAM group that has a name that complies with the length limitation. The parent IAM group must be added to the instance before the nested group can be used.
Console
Note: When you use the Google Cloud console to add a new IAM group to a Cloud SQL instance, Cloud SQL automatically assigns thecloudsql.instanceUser IAM role to the group for all instances in the project. The IAM policy binding is automatically added for the group at the project level. You can see view the IAM role assignment details in theIAM roles of the Google Cloud console.In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- SelectUsers from the SQL navigation menu.
- ClickAdd user account. TheAdd a user account to instanceinstance_name tab opens.
- Click theCloud IAM radio button.
- Add the email address for the group you want to add in thePrincipal field.
- ClickAdd. The group is now in the user list.
If the group doesn't have the
cloudsql.instanceUserIAM role assigned after user account creation, then a icon appears next to the group.To give the group members login permissions, click the icon, and then selectAdd IAM role. If the icon no longer appears, then all members of the group are assigned the role that gives the login permission.
gcloud
Replace the following:
- GROUP_EMAIL_ADDRESS: the email address of the Cloud Identity group that you want to add to the instance. For example,example-group@example.com.
- INSTANCE_NAME: the name of the instance where you want to add the group.
Run the following command:
gcloudsqluserscreateGROUP_EMAIL_ADDRESS\--instance=INSTANCE_NAME\--type=cloud_iam_group
To add IAM user and service accounts on an instance with IAM database authentication enabled,use aTerraform resource. To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections. Set the default Google Cloud project where you want to apply your Terraform configurations. You only need to run this command once per project, and you can run it in any directory. Environment variables are overridden if you set explicit values in the Terraform configuration file. Each Terraform configuration file must have its own directory (alsocalled aroot module). If you are following a tutorial, you can copy the sample code in each section or step. Copy the sample code into the newly created Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution. Optionally, to use the latest Google provider version, include the Make corrections to the configuration as necessary. Wait until Terraform displays the "Apply complete!" message. To delete your changes, do the following: Remove resources previously applied with your Terraform configuration by running the following command and enteringTerraform
resource "google_sql_database_instance" "default" { name = "mysql-iam-group-auth-instance-name" region = "us-west4" database_version = "MYSQL_8_0" settings { tier = "db-f1-micro" database_flags { name = "cloudsql_iam_authentication" value = "on" } }}# Specify the email address of the Cloud Identity group to add to the instance# This resource does not create a Cloud Identity group; the group must# already existresource "google_sql_user" "iam_group" { name = "example-group@example.com" instance = google_sql_database_instance.default.name type = "CLOUD_IAM_GROUP"}data "google_project" "project" {}resource "google_project_iam_binding" "cloud_sql_user" { project = data.google_project.project.project_id role = "roles/cloudsql.instanceUser" members = [ "group:example-group@example.com" ]}Apply the changes
Prepare Cloud Shell
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Prepare the directory
.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
main.tf.terraform init
-upgrade option:terraform init -upgrade
Apply the changes
Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.terraform plan
yes at the prompt:terraform apply
Delete the changes
deletion_protection argument tofalse.deletion_protection = "false"
yes at the prompt:terraform apply
yes at the prompt:terraform destroy
Before using any of the request data, make the following replacements: HTTP method and URL: Request JSON body: To send your request, expand one of these options: Save the request body in a file named Save the request body in a file named You should receive a JSON response similar to the following: Before using any of the request data, make the following replacements: HTTP method and URL: Request JSON body: To send your request, expand one of these options: Save the request body in a file named Save the request body in a file named You should receive a JSON response similar to the following:REST v1
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
{ "name": "GROUP_EMAIL", "type": "CLOUD_IAM_GROUP"}curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.request.json, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.request.json, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "example-group@example.com", "insertTime": "2023-12-07T22:44:16.656Z", "startTime": "2023-12-07T22:44:16.686Z", "endTime": "2023-12-07T22:44:20.437Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}REST v1beta4
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
{ "name": "GROUP_EMAIL", "type": "CLOUD_IAM_GROUP"}curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.request.json, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.request.json, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "example-group@example.com", "insertTime": "2023-12-07T22:44:16.656Z", "startTime": "2023-12-07T22:44:16.686Z", "endTime": "2023-12-07T22:44:20.437Z", "operationType": "CREATE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}
Add members of a group to a Cloud SQL instance automatically
When you add an IAM group to a Cloud SQL instance,all members (users and service accounts) of that group inherit the IAMpermissions to authenticate to the instance. You don't need to add the groupmember individually to the Cloud SQL instance. After a group memberlogs in and authenticates successfully to the instance for the first time, Cloud SQL creates a group useraccount or group service account for that group member. You can view the groupmember listed on the instance after their first successful login.
For more information about login,seeLog in using IAM database authentication.
Migrate existing IAM users to use IAM group authentication
Existing IAM users of typeCLOUD_IAM_USER orCLOUD_IAM_SERVICE_ACCOUNTdon't use IAM group authentication.
You can migrate these users to use IAM group authentication.
Add these users to a group.
Add the group to your instance.
Assign the group sufficient IAM permissions tolet group members connect to your instances. These changes might take timeto propagate. For more information about propagation times, seeAccess change propagation.
Assign database privileges assigned to the IAM users you aremigrating to the group.
After group membership changes and IAM permissions areapplied, delete the existing IAM user from your instance.The next time that the IAM user logs in successfully, the user isrecreated as an IAM group user which can use IAM group authentication.
Manage group members on a Cloud SQL instance
When you add an IAM group to a Cloud SQL instance, allmembers (user or service accounts) of that group inherit the IAMpermission to authenticate to the instance. You can control access to aninstance by managing the group in Cloud Identity. For example, if youwant to give a new user access to an instance, then add the user as a group memberin Cloud Identity. You don't need to remove or add group members separatelyat the Cloud SQL instance level because changes to group membership arepropagated from to the Cloud SQL instance automatically. Changesto group membership, such as the addition or removal of a member, take about15 minutes to propagate. The 15 minute propagation delay from Cloud SQLhappens in parallel with thetime required for IAM changes to propagate.
Granting or revoking database privileges for an IAM group in MySQL takes effectimmediately. For example, if you revoke access to a table,members of that IAM group lose access to that table instantly.
It's possible for a user or service account to be a member of multipleIAM groups. If a user or service account belongs to multipleIAM groups on an instance, then they have all theIAM permissions and database privilegescombined from each of those IAM groups.
When you add a new member (user or service account) to the IAMgroup in Cloud Identity and they log in to the instance successfullyfor the first time, then they inherit the database privileges granted to thegroup automatically.To use the newly acquired database privileges within the same login session, use the following statement.
SETROLEALL;For more information, seeSET ROLE in the MySQL Documentation.
Grant database privileges to an individual IAM user or service account
When an individual IAM user or service is added to aCloud SQL instance, that new accountis granted no privileges on any databases, by default.To give database privileges to the accounts, use the GRANT statement. SeetheGRANT reference page for a complete list ofprivileges you can grant to users and service accounts. Run GRANT from themysql command line.
Replace the following:
@ and domain string truncated.For example, if the IAM user's email address isexample-user@example.com, the username would beexample-user. for a service account, this is the email address ofthe service account without the@project-id.iam.gserviceaccount.com domain.grantselectonDATABASE_NAME.TABLE_NAMEto"USERNAME";
Grant database privileges to an IAM group
When you use IAM group authentication, you grant database privileges to IAMgroups instead of granting privileges to individual users or service accounts.By default, when you add an IAM group to a Cloud SQL instance,the group has no database privileges.
To give the database privileges to IAM group, use the GRANT statement.After they log in to the Cloud SQL instance for the first time, each group member(including users and service accounts) inherit the database privileges grantedto the group automatically.
Replace the following:
@ and domain nametruncated. For example, if the IAM group's email address isexample-group@example.com, then the group name isexample-group.Run GRANT from themysql command line.
grantselectonDATABASE_NAME.TABLE_NAMEto"GROUP_NAME"@"HOSTNAME";
ReplaceHOSTNAME with the domain name of the IAM groupemail address.
For more information about granting privileges, see theGRANT reference page in the MySQL documentation.
The database privileges that you grant to the IAM group takeeffect immediately.
View IAM users, service accounts, and groups added to a Cloud SQL instance
To view the IAM users, service accounts, and groups that havebeen added to your Cloud SQL instance, run the following commands.
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- SelectUsers from the SQL navigation menu. The page displays a list of IAM users, service accounts, and Cloud Identity groups that have been added to your instance.
- Optional: To view a list of IAM users or service accounts that have already logged in to the instance, clickAuthenticated IAM group members.
gcloud
ReplaceINSTANCE_NAME with the name of the instance that has the groups you want to view.
gcloudsqluserslist--instance=INSTANCE_NAMEGroups have a user type ofCLOUD_IAM_GROUP.
The output also lists user and service accounts onyour Cloud SQL instance.
- User accounts that are members of a group have the type of
CLOUD_IAM_GROUP_USER. - Service accounts that are members of a group have the type
CLOUD_IAM_GROUP_SERVICE_ACCOUNT. - User accounts that are individual IAM database authentication user accounts have the type of
CLOUD_IAM_USER. - Service accounts that are individual IAM database authentication service accounts have the type of
CLOUD_IAM_SERVICE_ACCOUNT.
REST v1
The following request uses theusers.list method to list the users who have accounts on the Cloud SQLinstance.
Before using any of the request data, make the following replacements:
- PROJECT_ID: the project ID
- INSTANCE_ID: the instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users/list
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users/list"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users/list" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#usersList", "items": [ { "kind": "sql#user", "etag": "--redacted--", "name": "example-service-acct", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "type": "CLOUD_IAM_SERVICE_ACCOUNT" }, { "kind": "sql#user", "etag": "--redacted--", "name": "another-example-service-acct", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "type": "CLOUD_IAM_GROUP_SERVICE_ACCOUNT" }, { "kind": "sql#user", "etag": "--redacted--", "name": "root", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "passwordPolicy": { "status": {} } }, { "kind": "sql#user", "etag": "--redacted--", "name": "example-user", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "type": "CLOUD_IAM_USER" }, { "kind": "sql#user", "etag": "--redacted--", "name": "another-example-user", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "type": "CLOUD_IAM_GROUP_USER" }, { "kind": "sql#user", "etag": "--redacted--", "name": "example-group", "host": "%", "instance": "INSTANCE_ID", "project": "PROJECT_ID", "type": "CLOUD_IAM_GROUP" } ]}Groups have a user type ofCLOUD_IAM_GROUP.
The output also lists user and service accounts onyour Cloud SQL instance.
- User accounts that are members of a group have the type of
CLOUD_IAM_GROUP_USER. - Service accounts that are members of a group have the type
CLOUD_IAM_GROUP_SERVICE_ACCOUNT. - User accounts that are individual IAM database authentication user accounts have the type of
CLOUD_IAM_USER. - Service accounts that are individual IAM database authentication service accounts have the type of
CLOUD_IAM_SERVICE_ACCOUNT.
REST v1beta4
The following request uses theusers.list method to list the users who have accounts on the Cloud SQLinstance.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#usersList", "items": [ { "kind": "sql#user", "etag": "--redacted--", "name": "sqlserver", "host": "", "instance": "instance-id", "project": "project-id", "sqlserverUserDetails": { "serverRoles": [ "CustomerDbRootRole" ] } }, { "kind": "sql#user", "etag": "--redacted--", "name": "user-id-1", "host": "", "instance": "instance-id", "project": "project-id", "sqlserverUserDetails": { "serverRoles": [ "CustomerDbRootRole" ] } }, { "kind": "sql#user", "etag": "--redacted--", "name": "user-id-2", "host": "", "instance": "instance-id", "project": "project-id", "sqlserverUserDetails": { "serverRoles": [ "CustomerDbRootRole" ] } }, { ... }, { ... } ]}Groups have a user type ofCLOUD_IAM_GROUP.
The output also lists user and service accounts onyour Cloud SQL instance.
- User accounts that are members of a group have the type of
CLOUD_IAM_GROUP_USER. - Service accounts that are members of a group have the type
CLOUD_IAM_GROUP_SERVICE_ACCOUNT. - User accounts that are individual IAM database authentication user accounts have the type of
CLOUD_IAM_USER. - Service accounts that are individual IAM database authentication service accounts have the type of
CLOUD_IAM_SERVICE_ACCOUNT.
Remove an individual IAM user or service account from a Cloud SQL instance
To remove an individual user or service account that is not a member of a groupfrom the Cloud SQL instance, you delete that account by using the following command:
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- SelectUsers from the SQL navigation menu.
- Click for the user you want to remove.
- SelectRemove. This revokes access to this instance only.
gcloud
Revoke a user
Use the email, such asexample-user@example.com, to identify the user.
Replace the following:
- USERNAME: the email address without the @domain name.
- INSTANCE_NAME: the name of the instance you want to remove the user from.
gcloudsqlusersdeleteUSERNAME\--instance=INSTANCE_NAME
Delete the individual service account
Replace the following:
- SERVICE_ACCT: the email address of the service account.
- INSTANCE_NAME: the name of the instance you want to remove the user from.
gcloudsqlusersdeleteSERVICE_ACCT\--instance=INSTANCE_NAME
REST v1
The following request uses theusers.delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your project ID
- INSTANCE_ID: The desired instance ID
- USERNAME: The email address for the user or service account
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-02-07T22:38:41.217Z", "startTime": "2020-02-07T22:38:41.217Z", "endTime": "2020-02-07T22:38:44.801Z", "operationType": "DELETE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}REST v1beta4
The following request uses theusers.delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your project ID
- INSTANCE_ID: The desired instance ID
- USERNAME: The email address for the user or service account
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "DONE", "user": "user@example.com", "insertTime": "2020-02-07T22:38:41.217Z", "startTime": "2020-02-07T22:38:41.217Z", "endTime": "2020-02-07T22:38:44.801Z", "operationType": "DELETE_USER", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}Remove IAM group members from a Cloud SQL instance
There are two ways to remove IAM group members from aCloud SQL instance:
- Automatic removal
- Manual removal
Automatic removal
To remove an IAM group member, you need to removetheir membership from the applicable IAM groups inCloud Identity. After the IAM group users havelost membership to all the applicable groups in Cloud Identity,Cloud SQL removes those group users from the instance automatically.
Changes to group membership, such as the addition or removal of a member, takeabout 15 minutes to propagate. The 15 minute propagation delay fromCloud SQL happens in parallel with thetime required for IAM changes to propagate.
Note: IAM users that exist solely onMySQL replicas and have lost all group memberships losetheir database privileges and ability to login but don't get removed from thereplica. These IAM users remain visible in lists of users.Manual removal
In cases where an IAM group user can't be removed automatically,you can manually remove them. You can't manually remove an IAMgroup user from a Cloud SQL instance by using gcloud CLI,Google Cloud console, Terraform, or the Cloud SQL Admin API. Instead, database users with superuser privileges can manually delete IAM group users from the Cloud SQL instance by usingaDROP USER statement from a MySQL client.
After you manuallyremove an IAM group user from the Cloud SQL instance,make sure that you also remove them from the IAM group inCloud Identity to prevent further logins to the Cloud SQLinstance.
Delete an IAM group from a Cloud SQL instance
You can delete the added IAM groups fromthe Cloud SQL instance. After you delete anIAM group from the instance, all users andservice accounts that belong to the IAM grouplose any database privileges that were granted to the IAMgroup. In addition, the following conditions apply:
- The users and service accounts that belong to the IAMgroup are still able to log in until the
cloudsql.instances.loginIAM permissionis removed from the group. - If the deletion of a group results in the IAM group useror service accounts belonging to no other groups on the instance,then Cloud SQLremoves the IAM group useror service accounts from the instance.
If you delete all IAM groups from a Cloud SQLinstance, then all the IAM group users and service accountslose all their database privileges. In addition, the following conditions apply:
- All IAM group users and service accounts are unable tologin to the instance.
- Cloud SQL also removes all IAM group users andservice accounts from the instance automatically.
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- SelectUsers from the SQL navigation menu.
- Click for the group you want to remove.
- SelectRemove. This revokes access to this instance only.
gcloud
To delete a Cloud Identity group from an instance, use thegcloud sql users deletecommand.
Replace the following:
- GROUP_NAME: the first part of the email address of the Cloud Identity group. For example, using the email address
example-group@example.com, the Cloud Identity group name isexample-group. - HOSTNAME: The second part of the email address represents the hostname of the Cloud Identity group. For example, using the email address
example-group@example.com, the hostname isexample.com. - INSTANCE_NAME: the name of the Cloud SQL instance with the Cloud Identity group you want to delete.
gcloudsqlusersdeleteGROUP_NAME\--host=HOSTNAME\--instance=INSTANCE_NAME
Remove IAM login permissions from an IAM group
If you revoke thecloudsql.instanceUser role from an IAM group,then all members of the group lose the ability to log in to any Cloud SQLinstance in the project. The users or service accounts can only log intoinstances if they are members of another IAM group thatstill has login permissions.
To revoke a role from a Cloud Identity group, seeRevoke a single role.
Note: Changes to grouplogin permissions can take 15 minutes to propagate.Remove users from an IAM group
IAM group members such as users or service accounts can beremoved from the IAM group in Cloud Identity.
After the removal has propagated through IAM, the user canno longer log in to the database unless they havereceived login permissions from another group orare directly granted login privileges. In addition, users removed from agroup lose the database privileges of the group.
If an IAM group user doesn't belong to any groups on the instance, thenCloud SQL automatically removes the user fromthe instance.
View login information in audit logs
You can enable audit logs to capture IAM logins to the database.When there are login issues, you can use the audit logs to diagnose the problem.
Note: Audit Logging incurs extra costs. For more information, seePricing for logging data.Once configured, you canview Data Access audit logsof successful logins using theLogs Explorer.
For IAM group authentication, audit logs display the activity and logins for individualuser and service accounts.
For example, a log might have information similar to the following:
{ insertId: "..." logName: "projects/.../logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: { principalEmail: "..." } authorizationInfo: [ 0: { granted: true permission: "cloudsql.instances.login" resource: "instances/..." resourceAttributes: { } } ] methodName: "cloudsql.instances.login" request: { @type: "type.googleapis.com/google.cloud.sql.authorization.v1.InstancesLoginRequest" clientIpAddress: "..." database: "..." databaseSessionId: ... instance: "projects/.../locations/us-central1/instances/..." user: "..." } requestMetadata: { callerIp: "..." destinationAttributes: { } requestAttributes: { auth: { } time: "..." } } resourceName: "instances/..." serviceName: "cloudsql.googleapis.com" status: { } } receiveTimestamp: "..." resource: { labels: { database_id: "...:..." project_id: "..." region: "us-central" } type: "cloudsql_database" } severity: "INFO" timestamp: "..."}Troubleshoot a login failure
When an attempt to log in fails, MySQL returns a minimal error message forsecurity reasons. For example:
$MYSQL_PWD=`gcloud-access-tokenmysql`--enable-cleartext-plugin--ssl-ca=server-ca.pem--ssl-cert=client-cert.pem--ssl-key=client-key.pem--host=ip_address--user=testuserAccessdeniedforuser'testuser'@'...'(usingpassword:NO)You can review the MySQL error logs for more details about the error. Formore information, seeViewing Logs.
For example, for the previous error, the following log entry explains the actionyou can take to resolve the problem.
F ... [152172]: [1-1] db=...,user=... FATAL: Cloud SQL IAM user authentication failed for user "..."I ... [152172]: [2-1] db=...,user=... DETAIL: Request is missing required authentication credential. Expected OAuth 2 access token, log in cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.Check the error message you receive. If the message does not indicate that youused "Cloud SQL IAM user authentication" or"Cloud SQL IAM service account authentication," verify thatthe database user type used to log in is eitherCLOUD_IAM_USER orCLOUD_IAM_SERVICE_ACCOUNT.For an IAM user, verify that the database username is theIAM user's email address without the@ and domain. For aservice account, verify that it is the service account's email without the@project-id.iam.gserviceaccount.com.
If you used IAM database authentication, check the details of the error message. You can find theerror message in the database error log. If it indicates the access token (OAuth2.0) you sent as a password was invalid, you can use thegcloud auth application-default print-access-tokengcloud command to find details of the token, as follows:
curl-H"Content-Type: application/x-www-form-urlencoded"\-d"access_token=$(gcloudauthapplication-defaultprint-access-token)"\https://www.googleapis.com/oauth2/v1/tokeninfo
Verify that the token is for the intended IAM user or serviceaccount and has not expired.
If the details indicate a lack of permission, then verify the IAMuser or service account is granted thecloudsql.instances.login permission usingthe predefinedCloud SQL Instance User role or custom role in theIAM policy of the instance's project. Use the IAMPolicy Troubleshooter for additional help.
If a login fails due to IAM database authentication unavailability, the user can log in using thedefault MySQL user and password. This method of logging in still gives theuser access to the entire database. Verify that the connection is a securedconnection.
Troubleshoot user accounts that use IAM group authentication
This section lists troubleshooting scenarios for IAM group authentication.
Failure to add a group to a database
When you attempt to add a group to an instance, you receive thefollowing error:
(gcloud.sql.users.create) HTTPError 400: Invalid request: Provided CLOUD_IAM_GROUP:EMAIL, does not exist.
Make sure the email address that you provided is a valid group.
If the group doesn't exist yet, then create the group.For more information about creating groups,seeCreate and manage Google groups in the Google Cloud console.
If you receive the following error:
(gcloud.sql.users.create) HTTPError 400: Invalid request: IAM Group Authentication is disabled.
Then before you can use IAM group authentication,your Cloud SQL instance requires the following maintenance update:
R20240514.00_04 or later
You can apply the maintenance update to your instance by using self-servicemaintenance. For more information, seePerform self-service maintenance.
An existing IAM user or service account isn't inheriting the database privileges granted to their IAM group
If an existing IAM user or service account isn't inheriting the correctdatabase privileges of their group, then complete the following steps:
In the Google Cloud console, go to theIAM page.
Verify that the account is a member of the groupadded to the Cloud SQL instance.
List the users and service accounts on the instance.
gcloudsqluserslist--instance=INSTANCE_NAMEIn the output, check whether the user or service account is listed as a
CLOUD_IAM_USERor aCLOUD_IAM_SERVICE_ACCOUNT.If the user or service account is listed as a
CLOUD_IAM_USERor aCLOUD_IAM_SERVICE_ACCOUNT,then remove the account from the instance. The account you are removing isan individual IAM account which doesn't inherit databaseprivileges of the group.Log in again to the instance with the user or service account.
Logging in again to the instance re-creates the account with the correctaccount type of
CLOUD_IAM_GROUP_USERorCLOUD_IAM_GROUP_SERVICE_ACCOUNT.
What's next
- Learn more aboutIAM database authentication.
- Learn how tolog in to a Cloud SQL database.
- Learn how toconfigure instances for IAM database authentication.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-16 UTC.