Cloud SQL built-in database authentication

MySQL  |  PostgreSQL  |  SQL Server

This page describes how built-in authentication works on Cloud SQL instancesand how database administrators can set password policies for local database users.

Introduction

Authentication is the process of verifying the identity of a user who isattempting to access an instance. Cloud SQL uses the following types ofauthentication for database users:

  • The database's built-in authentication uses a username and a password toauthenticate local database users. The current page describes this type of authentication.
  • IAM database authentication uses IAM to authenticate a user. For more information, seeOverview of Cloud SQL IAM database authentication.

Although IAM database authentication is more secure and reliable, you might prefer to usebuilt-in authentication or a hybrid authentication model that includesboth authentication types.

You might create and manage local database users locally within a database toallow specific persons or applications to access a database. Such database usersown the objects they create in the database. Cloud SQL offers strongbuilt-in password enforcement. You can define and enable such enforcementthrough password policies.

Note: Password policies don't apply to hashed passwords.

Instance password policies

You can set a password policy at the instance level whenyoucreate an instance.

A password policy for an instance can include the following options:

  • Minimum length: specify the minimum number of characters that the password must have.
  • Password complexity: check if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.
  • Restrict password reuse: specify the number of previous passwords that you can't reuse.
  • Disallow username: prevent the use of the username in the password.
  • Set password change interval: specify the minimum duration after which you can change the password.

You need to explicitly enable a password policy at the instance level. You canmodify it later byediting the instance.

Note: When you enable a password policy, due to password policy verification,statements that create users or change user passwords cause additional latencyusually spanning less than 200ms.

User password policies

Whilecreating a user,you can set the following password usage restrictions:

  • Set password to expire: specify the number of days after whichthe password expires and you need to create a new one.
  • Lock after failed attempts: specify the number of times that you can try the password incorrectly before the account is locked.

You can also modify user password policies.

The status of a user, indicating whether their password has expired or they'relocked out, is visible when youlist the usersof the instance. You can unlock users and change the password from the Users page.

Cloud SQL built-in authentication for read replicas

You manage password policies for replicas on the primary instance.You can't separately modify password policies for read replicas.

When you promote an instance, you need to re-enable the instance password policy,along with the policy options.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.