About MySQL users
This page describes how Cloud SQL works with MySQL users. MySQL user accountsprovide security by controlling access to MySQL databases.
For complete documentation about users in MySQL, seeAccess Control and Account Management inthe MySQL documentation. For informationabout creating and managing Cloud SQL users in Cloud SQL, seeCreate and manage users.
Why you need MySQL user accounts
MySQL user accounts enable you to log in to and administer your Cloud SQLinstance. User accounts are also required for applications to access yourinstance.
Superuser restrictions
In Cloud SQL, customers cannot create or access users with superuserattributes.
Because Cloud SQL for MySQL is a managed service, it restricts accessto certain system procedures and tables.
Data Manipulation Language (DML) and Data Definition Language (DDL) privilegesare restricted on some schema tables.
Here's the list of MySQL 5.6 system tables in themysql schema that require write permissions:
audit_log_rules_expandedaudit_log_supported_opsaudit_log_rulescloudsql_replica_indexdbeventfuncheartbeatpluginprocusertables_priv
For MySQL 5.7, here's the list:
audit_log_rules_expandedaudit_log_supported_opsaudit_log_rulescloudsql_replica_indexdbeventfuncgtid_executedheartbeatpluginprocusertables_priv
For related information about MySQL 8.0 and MySQL 8.4, seeMySQL 8.0 user privileges (cloudsqlsuperuser) andMySQL 8.4 user privileges (cloudsqlsuperuser).
MySQL user account format
MySQL user accounts have two components: a username and a hostname. Theusername identifies the user, and the hostname specifies what hosts that user canconnect from. The username and hostname are combined to create a user account:
'<user_name>'@'<host_name>'You can specify a specific IP address or address range for hostname, or usethe percent character ("%") to leave the hostname unrestricted. Note thatif you connect to your instance using IP addresses, you must add your clientIP address as anAuthorized Address, even if your user'shostname is unrestricted.
User accounts are defined byboth the username and the hostname. Forexample,'user'@'%' is a different user account than'user'@'localhost'.
Default MySQL user
Upon creation, MySQL instances have one default user account:'root'@'%'. You use this account to connect to and manage thedatabase instance for the first time. The default user has all databaseprivileges except forSUPERandFILE. InCloud SQL, you can't rename'root'@'%'.
The default forroot'@'% is no password, and MySQL does not require you to usea password forroot'@'%. However, becauseroot'@'% exists on most MySQLinstallations, theroot'@'% user is a common target for unauthorized access.Any person or program that gains access to your instance has almostunlimited access to, and control over, your instance and data. For this reason,we recommend you configure yourroot'@'% user with a strong password or deletethis user. For help with configuring the default user account, seeConfigure the default user account.
System users
Cloud SQL supports the following system users:
root@localhost,root@127.0.0.1,root@::1Used to provide the managed database service.
cloudsqlreplica@%Used as a replication user for replicas.
cloudsqlimport@localhost,cloudsqlimport@127.0.0.1Used for data imports.
cloudsqlexport@localhost,cloudsqlexport@127.0.0.1Used for data exports.
cloudsqloneshotUsed for other database operations.
cloudsqlapplier@localhostUsed for replication operations in external server replica or cross major version replication.
cloudsqlobservabilityadminUsed for database observability.
cloudiamgroup@'%'Used for the IAM group authentication.
cloudsqlreadonlyUsed to execute read-only operations on system tables.
cloudsqlreplicaindexUsed to manage secondary indexes on replicas.
You cannot delete or modify these users.
Other MySQL user accounts
You can also create other MySQL user accounts. This is a good practice becauseit lets you use different MySQL user accounts for different purposes.
You can create a user account witha restricted hostname, or useSQL commands to limit privileges on your user accounts.
For more information about user account names, seeSpecifying Account Names in theMySQL documentation. To create a newMySQL user in Cloud SQL, seeCreate a user.
MySQL 5.6 and 5.7 user privileges
MySQL provides fine-grained privileges you can grant or remove for a user. Thislets you control what a user can do on your instance.
Users created using Cloud SQL have the same privileges as thedefault MySQL user. You can change their privileges by using theGRANT orREVOKE statements.
When you use themysql client to create a user, you must explicitly grant thatuser privileges with theGRANT statement.
For more information about the privileges supported by MySQL, seePrivileges Provided by MySQL.
MySQL 8.0 user privileges (cloudsqlsuperuser)
In Cloud SQL for MySQL 8.0, when you create a new user, the user isautomatically granted thecloudsqlsuperuser role. Thecloudsqlsuperuser roleis a Cloud SQL role that contains a number of MySQL privileges. This rolegives the user all of the MySQLstatic privileges, except forSUPER andFILE.
Thecloudsqlsuperuser role only supports the followingdynamic privileges based on MySQL 8.0 minor versions:
MySQL 8.0.18
MySQL 8.0.26
MySQL 8.0.27
MySQL 8.0.28
APPLICATION_PASSWORD_ADMINCONNECTION_ADMINROLE_ADMINSET_USER_IDXA_RECOVER_ADMINCLOUDSQL_SPECIAL_VARIABLES_ADMINFLUSH_OPTIMIZER_COSTSFLUSH_STATUSFLUSH_TABLESFLUSH_USER_RESOURCESINNODB_REDO_LOG_ENABLESHOW_ROUTINEAUTHENTICATION_POLICY_ADMINGROUP_REPLICATION_STREAMPASSWORDLESS_USER_ADMINAUDIT_ABORT_EXEMPT
MySQL 8.0.29 (deprecated)
APPLICATION_PASSWORD_ADMINCONNECTION_ADMINROLE_ADMINSET_USER_IDXA_RECOVER_ADMINCLOUDSQL_SPECIAL_VARIABLES_ADMINFLUSH_OPTIMIZER_COSTSFLUSH_STATUSFLUSH_TABLESFLUSH_USER_RESOURCESINNODB_REDO_LOG_ENABLESHOW_ROUTINEAUTHENTICATION_POLICY_ADMINGROUP_REPLICATION_STREAMPASSWORDLESS_USER_ADMINAUDIT_ABORT_EXEMPTSENSITIVE_VARIABLES_OBSERVER
MySQL 8.0.30 and later
APPLICATION_PASSWORD_ADMINCONNECTION_ADMINROLE_ADMINSET_USER_IDXA_RECOVER_ADMINCLOUDSQL_SPECIAL_VARIABLES_ADMINFLUSH_OPTIMIZER_COSTSFLUSH_STATUSFLUSH_TABLESFLUSH_USER_RESOURCESINNODB_REDO_LOG_ENABLESHOW_ROUTINEAUTHENTICATION_POLICY_ADMINGROUP_REPLICATION_STREAMPASSWORDLESS_USER_ADMINAUDIT_ABORT_EXEMPTSENSITIVE_VARIABLES_OBSERVERFIREWALL_EXEMPT
Thecloudsqlsuperuser role doesn't support any Data Definition Language (DDL)operations on themysql system database.
To see a complete list of privileges granted to thecloudsqlsuperuser role,execute theSHOW GRANTS statement in themysql client:
SHOW GRANTS FOR 'cloudsqlsuperuser'MySQL 8.4 user privileges (cloudsqlsuperuser)
Similar to Cloud SQL for MySQL 8.0, in Cloud SQL for MySQL 8.4,when you create a new user, the user isautomatically granted thecloudsqlsuperuser role.
In MySQL 8.4, thecloudsqlsuperuser role has the same privileges as MySQL 8.0.x.However, MySQL 8.4 has the following main differences with MySQL 8.0.x:
- Removes the
SET_USER_IDprivilege and replaces it with the newlyintroducedALLOW_NONEXISTENT_DEFINERandSET_ANY_DEFINERprivileges. - Grants
FLUSH_PRIVILEGESas a subset of theRELOADprivilege.This grant isn't a replacement for theRELOADprivilege, and theRELOADprivilege is still granted for backwards compatibility. - Grants the new
OPTIMIZE_LOCAL_TABLEprivilege.
In addition, Cloud SQL for MySQL 8.4 doesn't grant theTRANSACTION_GTID_TAGorTELEMETRY_LOG_ADMIN privilegesintroduced in MySQL 8.4.
What's next
- Configure the
rootuser account for your instance. - Create and manage users.
- Create and manage databases.
- See theMySQL documentation about MySQL users.
- See theMySQL documentation about privileges provided by MySQL.
- Learn aboutoptions for connecting to your instance.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.