Connect to Cloud SQL for PostgreSQL from App Engine flexible environment
Learn how to deploy a sample app onApp Engine flexible environmentconnected to a PostgreSQL instance by using the Google Cloud console and a clientapp.
Assuming that you complete all the steps in a timely manner, the resourcescreated in this quickstart typically cost less than one dollar (USD).
Before you begin
Note:The name you use for your project must be between 4 and 30 characters. When youtype the name, the form suggests a project ID, which you can edit. Theproject ID must be between 6 and 30 characters, with a lowercase letteras the first character. You can use a dash, lowercase letter, or digit for theremaining characters, but the last character cannot be a dash.- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
- Enable the Cloud APIs necessary to run a Cloud SQL sample app on App Engine flexible environment.
Console
Click the button below to enable the APIs required for this quickstart.
This enables the following APIs:
- Cloud SQL Admin API
- Compute Engine API
- Cloud Build API
- Cloud Logging API
By clicking the button, you also enable the Google App Engine Flexible Environment.
gcloud
Click the following button to open Cloud Shell, which provides command-line access to your Google Cloud resources directly from the browser. Cloud Shell can be used to run the
gcloudcommands presented throughout this quickstart.Run the following
gcloudcommand using Cloud Shell:gcloudservicesenableappengineflex.googleapis.comsqladmin.googleapis.com\compute.googleapis.comcloudbuild.googleapis.comlogging.googleapis.com
This command enables the following APIs:
- Cloud SQL Admin API
- Compute Engine API
- Cloud Build API
- Cloud Logging API
By running the above command, you also enable the Google App Engine Flexible Environment.
Set up Cloud SQL
Create a Cloud SQL instance
Public IP
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- ClickCreate instance.
- ClickChoose PostgreSQL.
- Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
- In theInstance ID field, enter
quickstart-instance. - In thePassword field, enter a password for the postgres user. Save this password for future use.
- In theChoose region and zonal availability section, selectSingle zone.
- Click theShow configuration options menu.
- Expand theMachine configuration node.
- From theMachine shapes region, select the4 vCPU, 32 GB shape.
- ClickCreate instance and then wait until the instance initializes and starts.
gcloud
Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.
Optionally, modify the values for the following parameters:
- --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
- --cpu: The number of cores desired in the machine.
- --memory: Whole number value indicating how much memory is desired in the machine. A size unit should be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
- --region: Regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default
us-centralis used.
Run thegcloud sql instances create command to create a Cloud SQL instance.
gcloudsqlinstancescreatequickstart-instance\--database-version=POSTGRES_14\--cpu=1\--memory=4GB\--region=us-central\--root-password=DB_ROOT_PASSWORD
Private IP
Console
Allocate an IP address range and create a private connection to configure private services access for Cloud SQL
In the Google Cloud console, go to theVPC networks page.
- Select the
defaultVPC network. - Select thePrivate service connection tab.
- Select theAllocated IP ranges for services tab.
- ClickAllocate IP range.
- For theName of the allocated range, specify
google-managed-services-default. - Select theAutomatic option for IP range and specify the prefix length as
16. - ClickAllocate to create the allocated range.
- Select thePrivate connections to services tab for the
defaultVPC network. - ClickCreate connection to create a private connection between your network and a service producer.
- For theAssigned allocation, select
google-managed-services-default. - ClickConnect to create the connection.
Create an instance with private IP address and SSL enabled
In the Google Cloud console, go to theCloud SQL Instances page.
- ClickCreate instance.
- ClickChoose PostgreSQL.
- Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
- In theInstance ID field, enter
quickstart-instance. - In thePassword field, enter a password for the postgres user. Save this password for future use.
- In theChoose region and zonal availability section, selectSingle zone.
- Click theShow configuration options menu.
- Expand theMachine configuration node.
- From theMachine shapes region, select the4 vCPU, 32 GB shape.
- Expand theConnections node.
- Clear thePublic IP checkbox to create an instance only with a private IP address.
- Select thePrivate IP checkbox.
- From theNetwork menu, selectdefault.
- ClickCreate instance and then wait for the instance to initialize and start.
- ClickConnections.
- In theSecurity section, selectAllow only SSL connections to enable SSL connections.
- In theAllow only SSL connections dialog, clickSave and then wait for the instance to restart.
gcloud
Allocate an IP address range and create a private connection to configure private services access for Cloud SQL
Run the
gcloud compute addresses createcommand to allocate an IP address range.gcloudcomputeaddressescreategoogle-managed-services-default\--global--purpose=VPC_PEERING--prefix-length=16\--description="peering range for Google"--network=default
Run the
gcloud services vpc-peerings connectcommand to create a private connection to the allocated IP address range. Replace YOUR_PROJECT_ID with your project's project ID.gcloudservicesvpc-peeringsconnect--service=servicenetworking.googleapis.com\--ranges=google-managed-services-default--network=default\--project=YOUR_PROJECT_ID
Create an instance with private IP address and SSL enabled
Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.
- --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
- --cpu: The number of cores in the machine.
- --memory: A whole number value indicating how much memory to include in the machine. A size unit can be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
- --region: The regional location of the instance (for example asia-east1, us-east1). If left unspecified, the default
us-central1is used. See the full list ofregions. Run the
gcloud sql instances patchcommand to enableonly allow SSL connections for the instance.
Optionally, modify the values for the following parameters:
Run thegcloud sql instances create command to create a Cloud SQL instance with a Private IP address.
gcloudsqlinstancescreatequickstart-instance\--database-version=POSTGRES_14\--cpu=1\--memory=4GB\--region=us-central\--root-password=DB_ROOT_PASSWORD\--no-assign-ip\--network=default
gcloudsqlinstancespatchquickstart-instance--require-ssl
Create a database
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- Select
quickstart-instance. - From the SQL navigation menu, selectDatabases.
- ClickCreate database.
- In theDatabase name field of theNew database dialog box, enter
quickstart-db. - ClickCreate.
gcloud
Run thegcloud sql databases create command to create a database.
gcloudsqldatabasescreatequickstart-db--instance=quickstart-instanceCreate a user
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- Select thequickstart-instance PostgreSQL instance that you created.
- From the SQL navigation menu, selectUsers.
- ClickAdd user account.
- In theAdd a user account to instance quickstart-instance page, add the following information:
- In theUser name field, enter
quickstart-user. - In thePassword field, specify a password for your database user. Make a note of this password for use in a later step of this quickstart.
- In theUser name field, enter
- ClickAdd.
gcloud
Before running the following command, make the following replacements:
- PASSWORD with a password for your database user. Make a note of this for use in a later step of this quickstart.
Run thegcloud sql users create command to create the user.
gcloudsqluserscreatequickstart-user\--instance=quickstart-instance\--password=PASSWORD
User name length limits are the same for Cloud SQL as foron-premises PostgreSQL.
Deploy a sample app to App Engine flexible environment
Create an App Engine app
Console
In the Google Cloud console, go to theApp Engine page.
- ClickCreate application.
- From theSelect a region drop-down menu, selectus-central.
- ClickNext.
- After theGet started page appears, scroll to the bottom of the page.
- Click theI'll do this later link.
gcloud
- Run the following
gcloud app createcommand to create an App Engine app: - When prompted to choose the region where you want your App Engine app located, enter the numeric choice forus-central.
gcloudappcreate
Configure the App Engine service account
Configure the service account used by App Engine so that it has theCloud SQL Client role. By assigning the role to the service account, the account has permissions to connect to Cloud SQL.
Console
In the Google Cloud console, go to theIAM page.
- For the service account namedApp Engine default service account, click the pencil icon.Note: The name of the service account appears next to the principal for the account. The name of the principal isproject-name@appspot.gserviceaccount.com.
- ClickAdd another role.
- Add theRole namedCloud SQL Client.
- ClickSave.
gcloud
- Run the following
gcloudcommand to get a list of your project's service accounts:gcloud iam service-accounts list
- Copy theEMAIL of theApp Engine service account.
- Run the following command to add theCloud SQL Client role toApp Engine service account:
gcloudprojectsadd-iam-policy-bindingYOUR_PROJECT_ID\--member="serviceAccount:SERVICE_ACCOUNT_EMAIL"\--role="roles/cloudsql.client"
Configure and deploy a sample app for Cloud SQL
Now that you created a Cloud SQL instance and database, and you configured theApp Engine service account so that it has permissions to connect to Cloud SQL,you can configure and deploy a sample app to connect to your Cloud SQL instance.
Public IP
For public IP paths, App Engine flexible environment provides encryption. This method uses a Unix socket and the Cloud SQL Auth Proxy to connect to your Cloud SQL instance.Go
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor- In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/golang-samples/cloudsql/postgres/database-sql/app.flexible.yamlfile. - Replace the placeholders for the environment variables in the
app.flexible.yamlfile with the following values: - <PROJECT-ID> with your project ID.
- <INSTANCE-REGION> with
us-central1. - <INSTANCE-NAME> with
quickstart-instance. - <YOUR_DB_USER_NAME> with
quickstart-user. - <YOUR_DB_PASSWORD> with the password of the
quickstart-userthat you created inCreate a user. - <YOUR_DB_NAME> with
quickstart-db. - At the Cloud Shell command prompt, in the
cloudshell_open/golang-samples/cloudsql/postgres/database-sqldirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
gcloudappdeployapp.flexible.yaml
gcloudappbrowse
Java
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor- In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/java-docs-samples/cloud-sql/postgres/servlet/src/main/webapp/WEB-INF/appengine-web.xmlfile. - Replace the placeholders for the environment variables in the
appengine-web.xmlfile with the following values: - my-project:region:instance with your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.
- my-db-user with
quickstart-user. - my-db-password with the password of the
quickstart-userthat you created inCreate a user. - my_db with
quickstart-db. - At the Cloud Shell command prompt, in the
cloudshell_open/java-docs-samples/cloud-sql/postgres/servletdirectory, run the followingApache Mavenmvn clean packagecommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
mvncleanpackageappengine:deploy-DskipTests
gcloudappbrowse
Node.js
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor- In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/nodejs-docs-samples/cloud-sql/postgres/knex/app.flexible.yamlfile. - Replace the placeholders for the environment variables in the
app.flexible.yamlfile with the following values: - <MY-PROJECT> with your project ID.
- <INSTANCE-REGION> with
us-central1. - <INSTANCE-NAME> with
quickstart-instance. - MY_DB_USER with
quickstart-user. - MY_DB_PASSWORD with the password of the
quickstart-userthat you created inCreate a user. - MY_DATABASE with
quickstart-db. - At the Cloud Shell command prompt, in the
cloudshell_open/nodejs-docs-samples/cloud-sql/postgres/knexdirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
gcloudappdeployapp.flexible.yaml
gcloudappbrowse
Python
In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor- In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/python-docs-samples/cloud-sql/postgres/sqlalchemy/app.flexible.yamlfile. - Replace the placeholders for the environment variables in the
app.flexible.yamlfile with the following values: - <PROJECT-ID> with your project ID.
- <INSTANCE-REGION> with
us-central1. - <INSTANCE-NAME> with
quickstart-instance. - <YOUR_DB_USER_NAME> with
quickstart-user. - <YOUR_DB_PASSWORD> with the password of the
quickstart-userthat you created inCreate a user. - <YOUR_DB_NAME> with
quickstart-db. - At the Cloud Shell command prompt, in the
cloudshell_open/python-docs-samples/cloud-sql/postgres/sqlalchemydirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
gcloudappdeployapp.flexible.yaml
gcloudappbrowse
Private IP
For private IP paths, make sure your App Engine flexible environment VM and the Cloud SQL instance are hosted on the same Virtual Private Cloud (VPC) network. When located on the same VPC network, your App Engine flexible environment app can connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.Go
Create and download SSL server and client certificates
In the Google Cloud console, go to theCloud SQL Instances page.
- Click the
quickstart-instanceto see itsOverview page - Click theConnections tab.
- Under theSecurity section, clickCreate client certificate.
- In theCreate a client certificate dialog, enter
quickstart-keyas the name and clickCreate. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.
Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.
Build sample app with SSL certificates
- In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor - In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog appears, then clickAuthorize.
- Upload SSL certs files tocerts folder.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
golang-samples/cloudsql/postgres/database-sql/certsfolder. - Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
- Select following files on your local machine:
client-key.pemclient-cert.pemserver-ca.pem- With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/golang-samples/cloudsql/postgres/database-sql/app.flexible.yamlfile. - Copy and paste the following code into the file, replacing the existing file content:
- Make the following variable replacements:
- YOUR_DB_PASSWORD with the password of the
quickstart-userthat you created inCreate a user. - INSTANCE_HOST with your instance'sPrivate IP address that appears on theCloud SQL instances page in the Google Cloud console.
- PROJECT_ID with your project ID.
- At the Cloud Shell command prompt, in the
cloudshell_open/golang-samples/cloudsql/postgres/database-sqldirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
runtime:customenv:flexenv_variables:DB_USER:quickstart-userDB_PASS:YOUR_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:3306INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connectorgcloudappdeployapp.flexible.yaml
gcloudappbrowse
Java
Create and download SSL server and client certificates
For Java users, the connector already provides a secure connection so that creating and downloading SSL server and client certificates is unnecessary.
Build Sample App
- In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor - In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog appears, then clickAuthorize.
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/java-docs-samples/cloud-sql/postgres/servlet/src/main/webapp/WEB-INF/appengine-web.xmlfile. - Copy and paste the following code into the
appengine-web.xmlfile, replacing the existing file content: - Make the following variable replacements:
- project-name:region-name:instance-name with your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.
- my-db-password with the password of the
quickstart-userthat you created inCreate a user. - PROJECT_ID with your project ID.
- At the Cloud Shell command prompt, in the
cloudshell_open/java-docs-samples/cloud-sql/postgres/servletdirectory, run the followingApache Mavenmvn clean packagecommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
<runtime>java17</runtime><env-variables><env-varname="INSTANCE_CONNECTION_NAME"value="project-name:region-name:instance-name"/><env-varname="DB_PORT"value="5432"/><env-varname="DB_USER"value="quickstart-user"/><env-varname="DB_PASS"value="my-db-password"/><env-varname="DB_NAME"value="quickstart-db"/></env-variables><vpc-access-connector><name>projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector</name><egress-setting>all-traffic</egress-setting></vpc-access-connector>
mvncleanpackageappengine:deploy-DskipTests
gcloudappbrowse
Node.js
Create and download SSL server and client certificates
In the Google Cloud console, go to theCloud SQL Instances page.
- Click the
quickstart-instanceto see itsOverview page - Click theConnections tab.
- Under theSecurity section, clickCreate client certificate.
- In theCreate a client certificate dialog, enter
quickstart-keyas the name and clickCreate. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.
Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.
Build sample app with SSL certificates
- In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor - In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog appears, then clickAuthorize.
- Upload SSL certs files tocerts folder.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
nodejs-docs-samples/cloud-sql/postgres/knex/certsfolder. - Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
- Select following files on your local machine:
client-key.pemclient-cert.pemserver-ca.pem- With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/nodejs-docs-samples/cloud-sql/postgres/knex/app.flexible.yamlfile. - Copy and paste the following code into the file, replacing the existing file content:
- Make the following variable replacements:
- MY_DB_PASSWORD with the password of the
quickstart-userthat you created inCreate a user. - INSTANCE_HOST with your instance'sPrivate IP address that appears on theCloud SQL instances page in the Google Cloud console.
- PROJECT_ID with your project ID.
- At the Cloud Shell command prompt, in the
cloudshell_open/nodejs-docs-samples/cloud-sql/postgres/knexdirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
runtime:nodejsenv:flexenv_variables:DB_USER:quickstart-userDB_PASS:MY_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:5432INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connectorgcloudappdeployapp.flexible.yaml
gcloudappbrowse
Python
Create and download SSL server and client certificates
In the Google Cloud console, go to theCloud SQL Instances page.
- Click the
quickstart-instanceto see itsOverview page - Click theConnections tab.
- Under theSecurity section, clickCreate client certificate.
- In theCreate a client certificate dialog, enter
quickstart-keyas the name and clickCreate. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.
Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.
Build sample app with SSL certificates
- In Cloud Shell Editor, open the sample app's source code.
Open Cloud Shell Editor - In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
- At the Cloud Shell command prompt, run the following command to activate your project:
gcloudconfigsetprojectYOUR-PROJECT-ID - If anAuthorize Cloud Shell dialog appears, then clickAuthorize.
- Upload SSL certs files tocerts folder.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
python-docs-samples/cloud-sql/postgres/sqlalchemy/certsfolder. - Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
- Select following files on your local machine:
client-key.pemclient-cert.pemserver-ca.pem- With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
- From the Explorer navigation menu of Cloud Shell Editor, navigate to the
- From theExplorer navigation menu of Cloud Shell Editor, click the expandable node that's the username of your Google Cloud account.
- Navigate to and open the
cloudshell_open/python-docs-samples/cloud-sql/postgres/sqlalchemy/app.flexible.yamlfile. - Copy and paste the following code into the file, replacing the existing file content:
- Make the following variable replacements:
- YOUR_DB_PASSWORD with the password of the
quickstart-userthat you created inCreate a user. - INSTANCE_HOST with your instance'sPrivate IP address that appears on theCloud SQL instances page in the Google Cloud console.
- PROJECT_ID with your project ID.
- At the Cloud Shell command prompt, in the
cloudshell_open/python-docs-samples/cloud-sql/postgres/sqlalchemydirectory, run the followinggcloud app deploycommand to deploy the sample app to App Engine flexible environment. - When prompted withDo you want to continue?, enter
Y. - After the actions performed by running the
gcloud app deploycommand complete, run thegcloud app browsecommand: - Click the generated link to see the sample app running on App Engine flexible environment. This environment is connected to Cloud SQL.
runtime:customenv:flexentrypoint:gunicorn-b:$PORTapp:appentrypoint:gunicorn-b:$PORTapp:appenv_variables:DB_USER:quickstart-userDB_PASS:YOUR_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:5432INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector
gcloudappdeployapp.flexible.yaml
gcloudappbrowse
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
In the Google Cloud console, go to theCloud SQL Instances page.
- Select the
quickstart-instanceinstance to open theInstance detailspage. - In the icon bar at the top of the page, clickDelete.
- In theDelete instance dialog box, type
quickstart-instance, and thenclickDelete to delete the instance.Disabling your app stops it from running instances and serving requests.If your app is processing a request, your app completes the request before beingdisabled.
To disable an App Engine app and retain its data, do thefollowing:
In the Google Cloud console, go to theSettings page:
In theApplication settings tab, clickDisable application.
In theApp ID field, enter the ID of the app you want to disable, andthen clickDisable.
Optional cleanup steps
If you're not using theCloud SQL client role that you assigned to theCompute Engine service account, you can remove it.
In the Google Cloud console, go to theIAM page.
- Click the edit icon (which looks like a pencil) for the IAM account namedCompute Engine default service account.
- Delete theCloud SQL client role.
- ClickSave.
If you're not using the APIs that were enabled as part of this quickstart, youcan disable them.
- APIs that were enabled within this quickstart:
- Compute Engine API
- Cloud SQL Admin API
- Cloud Run API
- Container Registry API
- Cloud Build API
In the Google Cloud console, go to theAPIs page.
Select any API that you would like to disable and then click theDisable API button.
What's next
Based on your needs, you can learn more aboutcreating Cloud SQL instances.You also can learn about creatingPostgreSQL users anddatabases for your Cloud SQL instance.
For more information about pricing, seeCloud SQL for PostgreSQL pricing.
Learn more about:
- Configuring your Cloud SQL instance with apublic IP address.
- Configuring your Cloud SQL instance with aprivate IP address.
Additionally, you can learn about connecting to a Cloud SQL instance fromother Google Cloud products:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.