Manage users with built-in authentication

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to enable and use Cloud SQL built-in authentication.

For an overview, seeCloud SQL built-in database authentication.

Before creating users

  1. Create a Cloud SQL instance. For more information, seeCreate instances.
  2. Enable password policies for the instance. For more information, seeInstance password policies.

  3. If you plan to use your database's administrative client to manage users,then do the following:

    1. Connect the client to your instance.SeeConnection options for external applications.

    2. Configure the default user on the instance by setting the password.SeeSet the password for the default user account.

Set the password for the default user account

When you create a new Cloud SQL instance, you must set a password for thedefault user account before you can connect to the instance.

For Cloud SQL for MySQL, the default user isroot@% This signifies a database user with a username ofroot which can connect from any host (@%).

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Find theroot user and then selectChange password from the more actions menuMore actions icon..

    Consider the listed stipulations for the password, which are derived from thepassword policy set for the instance.

  5. Provide a strong password that you can remember and clickOK.

gcloud

Use thegcloud sql users set-password command as follows to set the password for the default user.

ReplaceINSTANCE_NAME with the name of the instance before running the command.

gcloudsqlusersset-passwordroot\--host=%\--instance=INSTANCE_NAME\--prompt-for-password

REST v1

To update the password for the default user account, use a PUT request with the users:update method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • password: The password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25

Request JSON body:

{  "name": "root",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

To update the password for the default user account, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • password: The password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25

Request JSON body:

{  "name": "root",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Create a user

Aftersetting up the default user account, you can create other users.

Note: Cloud SQL for MySQL 8.0 usesmysql_native_password as the defaultauthentication plugin for new users instead ofcaching_sha2_password.However, Cloud SQL for MySQL 8.4 usescaching_sha2_password for thedefault authentication plugin for new users. For moreinformation, seeMySQL authentication.

When you create a built-in user, you can assign the user withone or more database roles.

To assign a custom database role to a user, you mustcreate the role in the MySQL database first.To create a role in MySQL, seeUsing roles.

Console

Note: You can't assign database roles to MySQL users by using the Google Cloud console. To assign a database role or roles to a MySQL user, use thegcloud CLI or the Cloud SQL Admin API instead.

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. ClickAdd user account.

    In theAdd a user account to instanceinstance_name page, you can choose whether the user authenticates with the built-in database method (username and password) or as anIAM user.

  5. SelectBuilt-in authentication (the default) and add the following information:
    • AUser name.
    • Optional. APassword. Provide a strong password that you can remember.
    • Optional. Theuser password policy.
    • In theHost name section, the default isAllow any host, which means that the user can connect from any IP address. Optionally, selectRestrict host by IP address or address range and enter an IP address or address range in theHost section. The user can then connect only from the IP address or addresses specified.
  6. ClickAdd.

If you create a user that uses built-in authentication for a MySQL 8.0 or later instance and don't specify any database roles, then the user is granted thecloudsqlsuperuser role automatically. The following privileges are associated with thecloudsqlsuperuser role:CREATEROLE,CREATEDB, andLOGIN. For more information about the privileges associated with thecloudsqlsuperuser role, seeMySQL 8.0 user privileges (cloudsqlsuperuser) andMySQL 8.4 user privileges (cloudsqlsuperuser). If you want to change the privileges for the user, then assign one or more custom MySQL roles when you create the user in Cloud SQL. If you assign one or more custom database roles when you create the user in Cloud SQL, then the user isn't granted thecloudsqlsuperuser role.

If you create a user that uses built-in authentication for a MySQL 5.7 instance, then the user is granted all privileges except forFILE andSUPER automatically. If you need to change the privileges for the user, then use theGRANT orREVOKE command in themysql client.

For more information about these user accounts and privileges, see Other MySQL user accounts.

gcloud

Caution: When you use thegcloud sql users createcommand to create a user, Cloud SQL doesn't check to see if the user exists.If a user with the same name exists, then the command overwrites the user.

To create a user, use thegcloud sql users create command.

Replace the following:

  • USER_NAME: the username.
  • HOST: the user's host name as a specific IP address, address range, or any host (%).
  • INSTANCE_NAME: the name of the instance.
  • PASSWORD: The password for the user.
  • ROLE_1,ROLE_2 ...,ROLE_N: optional. The database role or roles to assign to the user.
gcloudsqluserscreateUSER_NAME\--host=HOST\--instance=INSTANCE_NAME\--password=PASSWORD\--database-roles=ROLE_1,ROLE_2,...,ROLE_N

If you create a user that uses built-in authentication for a MySQL 8.0 or later instance and don't specify any database roles, then the user is granted thecloudsqlsuperuser role automatically. The following privileges are associated with thecloudsqlsuperuser role:CREATEROLE,CREATEDB, andLOGIN. For more information about the privileges associated with thecloudsqlsuperuser role, seeMySQL 8.0 user privileges (cloudsqlsuperuser) andMySQL 8.4 user privileges (cloudsqlsuperuser). If you want to change the privileges for the user, then assign one or more custom MySQL roles when you create the user in Cloud SQL. If you assign one or more custom database roles when you create the user in Cloud SQL, then the user isn't granted thecloudsqlsuperuser role.

If you create a user that uses built-in authentication for a MySQL 5.7 instance, then the user is granted all privileges except forFILE andSUPER automatically. If you need to change the privileges for the user, then use theGRANT orREVOKE command in themysql client.

For more information about these user accounts and privileges, see Other MySQL user accounts.

Username length limits are the same for Cloud SQL as foron-premises MySQL; 32 characters for MySQL 8.0 and later,16 characters for earlier versions.

When you create a user, you can adduser password policy parameters.

Terraform

To create a user, use aTerraform resource.

resource "random_password" "pwd" {  length  = 16  special = false}resource "google_sql_user" "user" {  name     = "user"  instance = google_sql_database_instance.default.name  password = random_password.pwd.result}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

  1. LaunchCloud Shell.

  2. Set the default Google Cloud project where you want to apply your Terraform configurations.

    You only need to run this command once per project, and you can run it in any directory.

    export GOOGLE_CLOUD_PROJECT=PROJECT_ID

    Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

  1. InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
    mkdirDIRECTORY && cdDIRECTORY && touch main.tf

  2. If you are following a tutorial, you can copy the sample code in each section or step.

    Copy the sample code into the newly createdmain.tf.

    Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

  3. Review and modify the sample parameters to apply to your environment.
  4. Save your changes.
  5. Initialize Terraform. You only need to do this once per directory.
    terraform init

    Optionally, to use the latest Google provider version, include the-upgrade option:

    terraform init -upgrade

Apply the changes

  1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
    terraform plan

    Make corrections to the configuration as necessary.

  2. Apply the Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

    Wait until Terraform displays the "Apply complete!" message.

  3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

Delete the changes

To delete your changes, do the following:

  1. To disable deletion protection, in your Terraform configuration file set thedeletion_protection argument tofalse.
    deletion_protection =  "false"
  2. Apply the updated Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

  1. Remove resources previously applied with your Terraform configuration by running the following command and enteringyes at the prompt:

    terraform destroy

REST v1

To create a user, use a POST request with theusers:insert method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password for the user
  • HOST: the host name for the user
  • ROLE_1,ROLE_2 ...,ROLE_N: optional. The database role or roles to assign to the user

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "host": "HOST",  "databaseRoles": [    "ROLE_1",    "ROLE_2"  ]}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "CREATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If you create a user that uses built-in authentication for a MySQL 8.0 or later instance and don't specify any database roles, then the user is granted thecloudsqlsuperuser role automatically. The following privileges are associated with thecloudsqlsuperuser role:CREATEROLE,CREATEDB, andLOGIN. For more information about the privileges associated with thecloudsqlsuperuser role, seeMySQL 8.0 user privileges (cloudsqlsuperuser) andMySQL 8.4 user privileges (cloudsqlsuperuser). If you want to change the privileges for the user, then assign one or more custom MySQL roles when you create the user in Cloud SQL. If you assign one or more custom database roles when you create the user in Cloud SQL, then the user isn't granted thecloudsqlsuperuser role.

If you create a user that uses built-in authentication for a MySQL 5.7 instance, then the user is granted all privileges except forFILE andSUPER automatically. If you need to change the privileges for the user, then use theGRANT orREVOKE command in themysql client.

For more information about these user accounts and privileges, see Other MySQL user accounts.

Username length limits are the same for Cloud SQL as foron-premises MySQL; 32 characters for MySQL 8.0 and later,16 characters for earlier versions.

When you create a user, you can adduser password policy parameters.

REST v1beta4

To create a user, use a POST request with theusers:insert method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password for the user
  • HOST: the host name for the user
  • ROLE_1,ROLE_2 ...,ROLE_N: optional. The database role or roles to assign to the user

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "host": "HOST",  "databaseRoles": [    "ROLE_1",    "ROLE_2"  ]}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "CREATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If you create a user that uses built-in authentication for a MySQL 8.0 or later instance and don't specify any database roles, then the user is granted thecloudsqlsuperuser role automatically. The following privileges are associated with thecloudsqlsuperuser role:CREATEROLE,CREATEDB, andLOGIN. For more information about the privileges associated with thecloudsqlsuperuser role, seeMySQL 8.0 user privileges (cloudsqlsuperuser) andMySQL 8.4 user privileges (cloudsqlsuperuser). If you want to change the privileges for the user, then assign one or more custom MySQL roles when you create the user in Cloud SQL. If you assign one or more custom database roles when you create the user in Cloud SQL, then the user isn't granted thecloudsqlsuperuser role.

If you create a user that uses built-in authentication for a MySQL 5.7 instance, then the user is granted all privileges except forFILE andSUPER automatically. If you need to change the privileges for the user, then use theGRANT orREVOKE command in themysql client.

For more information about these user accounts and privileges, see Other MySQL user accounts.

Username length limits are the same for Cloud SQL as foron-premises MySQL; 32 characters for MySQL 8.0 and later,16 characters for earlier versions.

When you create a user, you can adduser password policy parameters.

mysql Client

  1. To create a user, at themysql prompt, use the followingCREATE USER statement:
    CREATEUSER'USER_NAME'@'%'IDENTIFIEDBY'PASSWORD';

    Optionally, add theuser password policy parameters.

  2. You can confirm the user creation by displaying the user table:
    SELECTuser,hostFROMmysql.user;
     For a Second Generation instance, the output looks similar to this example:
    +----------+-----------+| user     | host      |+----------+-----------+| root     | %         || newuser  | %         |+----------+-----------+1 row in set (0.01 sec)
  3. Give the user privileges with theGRANT statement. For more information, seePrivileges Provided by MySQL.
  4. Flush themysql.user table to ensure that the change persists:
    FLUSHTABLESmysql.user;

Set a user password policy

You can set a password policy with thebuilt-in authentication type.

Note: Password policies don't apply to encrypted passwords.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Click more actionsMore actions icon. for the user whose policy you want to change.
  5. SelectEdit password policy.
  6. In thePassword policy section, select one or more of the following options:
    • Set password to expire: Specifies the number of days after which the password expires and the user needs to create a new one.
    • Lock after failed attempts: Specifies the number of times that a user can try the password incorrectly before the account is locked.

      Supported only on Cloud SQL for MySQL 8.0 and later.

    • Require current password when password is changed: Requires users to enter their existing password when attempting to change it.
    User password policy options are supported on Cloud SQL for MySQL 8.0 and later. TheSet password to expire option is also supported on Cloud SQL for MySQL 5.7.

gcloud

To set the user password policy, use thegcloud sql users set-password-policy command.

Use the--password-policy-enable-password-verification to make it mandatory for users to enter their existing password when attempting to change the password. To disable this parameter, use--no-password-policy-enable-password-verification.

Replace the following:

  • USER_NAME: The user name.
  • INSTANCE_NAME: The name of the instance.
  • HOST: The user's host name as a specific IP address, address range, or any host (%).
  • PASSWORD_POLICY_ALLOWED_FAILED_ATTEMPTS: Optional: The number of times that a user can try the password incorrectly before the account is locked. Use--password-policy-enable-failed-attempts-check to enable and--no-password-policy-enable-failed-attempts-check to disable the check.
  • PASSWORD_POLICY_PASSWORD_EXPIRATION_DURATION: Optional: Specifies the number of days after which the password expires and the user needs to create a new one.
User password policy options are supported on Cloud SQL for MySQL 8.0 and later. The--password-policy-password-expiration-duration option is also supported on Cloud SQL for MySQL 5.7.
gcloudsqlusersset-password-policyUSER_NAME\--instance=INSTANCE_NAME\--host=HOST\--password-policy-enable-failed-attempts-check\--password-policy-allowed-failed-attempts=PASSWORD_POLICY_ALLOWED_FAILED_ATTEMPTS\--password-policy-password-expiration-duration=PASSWORD_POLICY_PASSWORD_EXPIRATION_DURATION\--password-policy-enable-password-verification

To remove a user password policy, use the--clear-password-policy parameter.

gcloudsqlusersset-password-policyUSER_NAME\--instance=INSTANCE_NAME\--host=HOST\--clear-password-policy

To view the user password policy, see List users.

REST v1

To set a user password policy, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password of the user
  • FAILED_ATTEMPTS_CHECK: set totrue to enable a check for the number of failed attempts to log in after which the account is locked
  • NUMBER_OF_ATTEMPTS: the number of failed attempts to log in after which the account is locked
  • PASSWORD_EXPIRATION_DURATION: the number of days after which the password expires and the user needs to create a new one
  • VERIFY_PASSWORD: set totrue to make it mandatory for users to enter their existing password when attempting to change the password
User password policy options are supported on Cloud SQL for MySQL 8.0. ThepasswordExpirationDuration option is also supported on Cloud SQL for MySQL 5.7.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "data":  {    "passwordValidationUserPolicy" : {      {        "enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",        "allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",        "passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION",        "enablePasswordVerification" : "VERIFY_PASSWORD"      }    },  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2021-11-02T19:12:08.132Z",  "startTime": "2021-11-02T19:12:08.132Z",  "endTime": "2021-11-02T19:12:09.125Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

To view the user password policy, see List users.

REST v1beta4

To set a user password policy, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password of the user
  • FAILED_ATTEMPTS_CHECK: set totrue to enable a check for the number of failed attempts to log in after which the account is locked
  • NUMBER_OF_ATTEMPTS: the number of failed attempts to log in after which the account is locked
  • PASSWORD_EXPIRATION_DURATION: the number of days after which the password expires and the user needs to create a new one
  • VERIFY_PASSWORD: set totrue to make it mandatory for users to enter their existing password when attempting to change the password
User password policy options are supported on Cloud SQL for MySQL 8.0. ThepasswordExpirationDuration option is also supported on Cloud SQL for MySQL 5.7.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "data":  {    "passwordValidationUserPolicy" : {      {        "enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",        "allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",        "passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION",        "enablePasswordVerification" : "VERIFY_PASSWORD"      }    },  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2021-11-02T19:12:08.132Z",  "startTime": "2021-11-02T19:12:08.132Z",  "endTime": "2021-11-02T19:12:09.125Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

To view the user password policy, see List users.

mysql Client

To set a user password policy, at themysql prompt, use the followingALTER USER statement:

ALTERUSERUSER_NAMEFAILED_LOGIN_ATTEMPTSALLOWED_FAILED_ATTEMPTSPASSWORDEXPIREINTERVALPASSWORD_EXPIRATION_DURATIONDAYPASSWORDREQUIRECURRENT;

Replace the following:

  • USER_NAME: The user name.
  • ALLOWED_FAILED_ATTEMPTS: Optional: The number of times that a user can try the password incorrectly before the account is locked.
  • PASSWORD_EXPIRATION_DURATION: Optional: Specifies the number of days after which the password expires and the user needs to create a new one.

Use thePASSWORD REQUIRE CURRENT option to make it mandatory for users to enter their existing password when attempting to change the password.

User password policy options are supported on Cloud SQL for MySQL 8.0 and later. ThePASSWORD EXPIRE INTERVAL option is also supported on Cloud SQL for MySQL 5.7.

To view the user password policy, seeList users.

List users

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.

    The list shows theUser name,Host name, andAuthentication type for each user.

    Additionally, for the built-in authentication type, thePassword status is also indicated.

gcloud

Use thegcloud sql users list command to list the users for this instance:

gcloudsqluserslist\--instance=INSTANCE_NAME

The command returns theName,Host, andauthenticationType for each user.

Additionally, for the built-in authentication type, the password policy settings and status are returned. For example:

    NAME    HOST    TYPE        PASSWORD_POLICY    user1           BUILT_IN    {'allowedFailedAttempts': 2,                                 'enableFailedAttemptsCheck': True,                                 'passwordExpirationDuration': '7d',                                 'status': {                                   'locked': True,                                   'passwordExpirationTime': '2022-07-01T19:53:45.822742904Z'                                 }                                }

REST v1

To list the users defined for an instance, use a GET request with theusers:list method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#usersList",  "items": [    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "sqlserver",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-1",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-2",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      ...    },    {      ...    }  ]}

If auser password policy was set, theitems section of the response includes apasswordPolicy section. The following code sample shows thepasswordPolicy section.

  {  ...  "passwordValidationUserPolicy" : {    {      "enableFailedAttemptsCheck" : true,      "allowedFailedAttempts" : 8,      "passwordExpirationDuration" : "7d",      "enablePasswordVerification" : true    }  },  ...}

Note: Theusers.list API supports only response payloads thatinclude up to 4 MB of text or roughly 13,000 users.

If your database hasa large number of users that exceeds these limits, then a request to list usersmight result in an error. If this occurs, then to get the list of users, werecommend that you run the request directly from the database.

REST v1beta4

To list the users defined for an instance, use a GET request with theusers:list method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#usersList",  "items": [    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "sqlserver",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-1",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-2",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      ...    },    {      ...    }  ]}

If auser password policy was set, theitems section of the response includes apasswordPolicy section. The following code sample shows thepasswordPolicy section.

  {  ...  "passwordValidationUserPolicy" : {    {      "enableFailedAttemptsCheck" : true,      "allowedFailedAttempts" : 8,      "passwordExpirationDuration" : "7d",      "enablePasswordVerification" : true    }  },  ...}

Note: Theusers.list API supports only response payloads thatinclude up to 4 MB of text or roughly 13,000 users.

If your database hasa large number of users that exceeds these limits, then a request to list usersmight result in an error. If this occurs, then to get the list of users, werecommend that you run the request directly from the database.

mysql Client

To list MySQL users, at themysql prompt, use the followingSELECT statement:

SELECTuser,hostFROMmysql.user;

For a Second Generation instance with only theroot user account configured,the output looks similar to this example:

+------+-----------+| user | host      |+------+-----------+| root | %         |+------+-----------+1 row in set (0.01 sec)

This example shows the users for an instance withtheroot user. This user can connect from any host (%). The password field shows the hash of the password.

Note: You can't use the Google Cloud console orgcloud to display system users.

Add database roles to an existing user

After you create a built-in user, you can assign additional roles to the user.These roles are added to their existing roles and don't replace the existingset of roles assigned to user account.

Before you can assign a role to a user in Cloud SQL for MySQL, the rolemust already exist. To assign a custom role,create the role in the MySQL database first.

To create a role in MySQL, seeUsing roles.

You can't assign roles to any of theMySQL system userson the instance.

You can assign thecloudsqlsuperusersystem role to existing MySQL users on the instance.

gcloud

To assign roles to a user, use thegcloud sql users assign-roles command.

gcloudsqlusersassign-rolesUSER_NAME\--host=HOST\--instance=INSTANCE_NAME\--type=BUILT-IN\--database-roles=ROLE_1,ROLE_2,...,ROLE_N

Replace the following:

  • USER_NAME: the username.
  • HOST: the user's host name as a specific IP address, address range, or any host (%).
  • INSTANCE_NAME: the name of the instance.
  • ROLE_1,ROLE_2, ...,ROLE_N: the database role or roles to assign to the user.

REST v1

To update a user, use a PUT request with theusers:update method.

When you assign database roles, you can't update password policy parameters in the same API request.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the desired instance ID
  • USER_ID: the ID of the user
  • ROLE_1,ROLE_2 ...,ROLE_N: the database role or roles to assign to the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "type": "BUILT-IN",  "databaseRoles": [   "ROLE_1",   "ROLE_2"  ]}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

To update a user, use a PUT request with theusers:update method.

When you assign database roles, you can't update password policy parameters in the same API request.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the desired instance ID
  • USER_ID: the ID of the user
  • ROLE_1,ROLE_2, ...,ROLE_N: the database role or roles to assign to the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "type": "BUILT-IN",  "databaseRoles": [   "ROLE_1",   "ROLE_2"  ]}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Replace database roles for an existing user

If you want to replace or remove database roles from the user,you must revoke all of their existing roles while specifying newdatabase roles, if any.

By default, when you create a built-in MySQL user, the user isgranted thecloudsqlsuperuser role automatically. If you don't want a userto keep thecloudsqlsuperuser role, then revoke the existing roles of the user.

gcloud

To replace the database roles for a user, you revoke the existing rolesfor the user and assign new roles. To replace database roles for a user,use the followinggcloud sql users assign-roles command.

gcloudsqlusersassign-rolesUSER_NAME\--host=HOST\--instance=INSTANCE_NAME\--database-roles=ROLE_1,ROLE_2\--revoke-existing-roles

Replace the following:

  • USER_NAME: the username.
  • HOST: the user's host name as a specific IP address, address range, or any host (%).
  • INSTANCE_NAME: the name of the instance.
  • ROLE_1,ROLE_2: the new database role or roles to assign to the user.

You can also revoke the existing roles for a user and assign zero roles.For example:

gcloudsqlusersassign-rolesUSER_NAME\--host=HOST\--instance=INSTANCE_NAME\--database-roles=\--revoke-existing-roles

REST v1

To update a user, use a PUT request with theusers:update method.

When you replace a user's database roles, you can't update password policy parameters in the same API request.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the desired instance ID
  • USER_ID: the ID of the user
  • ROLE_1,ROLE_2 ...,ROLE_N: the new database role or roles to assign to the user. You can also specify an empty list.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "type": "BUILT-IN",  "databaseRoles": [   "ROLE_1",   "ROLE_2"  ],  "revokeExistingRoles": true}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

To update a user, use a PUT request with theusers:update method.

When you replace a user's database roles, you can't update password policy parameters in the same API request.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the desired instance ID
  • USER_ID: the ID of the user
  • ROLE_1,ROLE_2, ...,ROLE_N: the new database role or roles to assign to the user. You can also specify an empty list.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users

Request JSON body:

{  "name": "USER_ID",  "type": "BUILT-IN",  "databaseRoles": [   "ROLE_1",   "ROLE_2"  ],  "revokeExistingRoles": true}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2025-10-20T22:44:16.656Z",  "startTime": "2025-10-20T22:44:16.686Z",  "endTime": "2025-10-20T22:44:20.437Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Change a user password

User passwords can be changed in one of the following ways.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Click more actionsMore actions icon. for the user you want to update.
  5. SelectChange password.
  6. Specify a new password.

    Additionally, if you want to continue to use your older password, select theRetain current password checkbox.

  7. ClickOK.

gcloud

Use thegcloud sql users set-password command to change a password.

Replace the following:

  • USER_NAME: The user name.
  • HOST: The user's host name as a specific IP address, address range, or any host (%).
  • INSTANCE_NAME: The name of the instance.
  • PASSWORD: A password. It must meet the requirements of password policies, if set.

Optionally, for MySQL 8.0 and later, you can continue to allow the user to use the older password with the--retain-password option. To discard the older password, use the--discard-dual-password option.

gcloudsqlusersset-passwordUSER_NAME\--host=HOST\--instance=INSTANCE_NAME\--password=PASSWORD

REST v1

To change a user password, use a PUT request with theusers:update method.

The following request updates the password for the user accountuser_name'@'%. If your user has a different host, you mustmodify the call with the correct host.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The new password for the user
  • dual-password: One of these enum values:
    • DUAL_PASSWORD: The user can continue to use the older password.
    • NO_DUAL_PASSWORD: The user cannot use the older password.
    • NO_MODIFY_DUAL_PASSWORD: The dual password status stays unchanged.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password",  "retainedPassword" : "dual-password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

To change a user password, use a PUT request with theusers:update method.

The following request updates the password for the user accountuser_name'@'%. If your user has a different host, you mustmodify the call with the correct host.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The new password for the user
  • dual-password: One of these enum values:
    • DUAL_PASSWORD: The user can continue to use the older password.
    • NO_DUAL_PASSWORD: The user cannot use the older password.
    • NO_MODIFY_DUAL_PASSWORD: The dual password status stays unchanged.

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password",  "retainedPassword" : "dual-password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

mysql Client

  1. To change the password, at themysql prompt, use the followingSET PASSWORD statement:
    SETPASSWORDFORUSER_NAME=PASSWORD('auth_string');
  2. Flush themysql.user table to ensure that the change persists:
    FLUSHTABLESmysql.user;

If a user is locked out due to password policy settings,change the passwordto unlock them. Ensure that passwords, when changed, adhere to the password policy.

Remove a user password policy

You can remove a password policy from a user that has thebuilt-in authentication type.

gcloud

To remove the user password policy, use thegcloud sql users set-password-policy command and the--clear-password-policy parameter.

Replace the following:

  • USER_NAME: the user name
  • INSTANCE_NAME: the name of the instance
  • HOST: the user's host name as a specific IP address, address range, or any host (%)
gcloudsqlusersset-password-policyUSER_NAME\--instance=INSTANCE_NAME\--host=HOST\--clear-password-policy

REST v1

To remove a user password policy, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password of the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "data":  {    "passwordValidationUserPolicy" : {}  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2021-11-02T19:12:08.132Z",  "startTime": "2021-11-02T19:12:08.132Z",  "endTime": "2021-11-02T19:12:09.125Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

To remove a user password policy, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: your project ID
  • INSTANCE_ID: the instance ID
  • USER_ID: the ID of the user
  • PASSWORD: the password of the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID

Request JSON body:

{  "name": "USER_ID",  "password": "PASSWORD",  "data":  {    "passwordValidationUserPolicy" : {}  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2021-11-02T19:12:08.132Z",  "startTime": "2021-11-02T19:12:08.132Z",  "endTime": "2021-11-02T19:12:09.125Z",  "operationType": "UPDATE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Remove a user

The default user can remove users.

The methods described in this section do not allowyou to remove an anonymous user from your Cloud SQL instance. MySQLincludes an anonymous user that allows anyone to connect to the MySQL serverwithout a user account. If you want to remove an anonymous user, connectto your Cloud SQL instance and remove the user manually. For moreinformation about removing anonymous users, refer to theMySQL official documentation.

Before removing a user, you must drop all the objects it owns or reassign theirownership, and revoke any privileges the role has been granted on other objects.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Click more actionsMore actions icon. for the user you want to remove.
  5. SelectRemove and then selectRemove again.

gcloud

Use thegcloud sql users delete command to remove a user.

Replace the following:

  • USER_NAME: The user name.
  • HOST: The user's host name as a specific IP address, address range, or any host (%).
  • INSTANCE_NAME: The name of the instance.
gcloudsqlusersdeleteUSER_NAME\--host=HOST\--instance=INSTANCE_NAME

REST v1

The request below uses theusers:delete method to delete the specified user account.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: Your project ID
  • INSTANCE_ID: The desired instance ID
  • USERNAME: The email address for the user or service account

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "DELETE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

The request below uses theusers:delete method to delete the specified user account.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: Your project ID
  • INSTANCE_ID: The desired instance ID
  • USERNAME: The email address for the user or service account

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "DELETE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

mysql Client

  1. To delete a user, at themysql prompt, use the followingDROP USER statement:
    DROPUSER'USER_NAME'@'HOST_NAME';
  2. Flush themysql.user table to ensure that the change persists:
    FLUSHTABLESmysql.user;

Update user properties

To update user properties such as host or privileges, you must use themysqlclient. For more information, seeMySQL User Account Management in the MySQLdocumentation.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.