Configure new and existing instances for IAM database authentication
This page has procedures for creating or editing Cloud SQL instances toallow users, service accounts, or groups that are configured to use Cloud SQLIAM database authentication. To learn more about the Cloud SQL IAMintegration, seeIAM authentication.
A newly-created instance has apostgres database.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
- Make sure you have the Cloud SQL Admin and Compute Viewer roles on your user account.
Learn more about roles and permissions.
The maximum number of instances you can have in a single project dependson thenetworkarchitectureof those instances:
- New SQL network architecture: You can have up to 1000 instances per project.
- Old SQL network architecture: You can have up to 100 instances per project.
- Using both architectures: Your limit will be somewhere between 100 and 1000, depending on the distribution of your instances across the two architectures.
File a support caseto request an increase. Read replicas are counted as instances.
Configure new instances for IAM database authentication
To configure a new Cloud SQL instance for IAM database authentication,you need to enable thecloudsql.iam_authentication flag.After you enable this flag, you can add IAM users, serviceaccounts, or groups to the Cloud SQL instance.
To configure a new Cloud SQL instance to use IAM database authentication:
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- ClickCreate Instance.
- ClickChoose PostgreSQL.
- Enter a name for theInstance ID. Don't include sensitive or personally identifiable information in yourinstance name; it's externally visible.You don't need to include the project ID in the instance name. The projectID is included automatically where appropriate (for example, in the logfiles).
- Enter a password for the default administrator.
- From theDatabase version menu, select a database version.
- In theChoose region and zonal availability section, select the region and zone for your instance.Place your instance in the same region as the resources that access it. Theregion you select can't be modified in the future. Usually, you don't needto specify a zone.Note: If there's a resource location constraint on your organization policy, then you must select one of the regions that the organization policy allows. If a constraint exists, then a message appears about the constraint.Learn more.
- In theCustomize your instance section, clickShow Configuration Options, and then expandFlags.
- ClickAdd Flag.
- From theChoose a flag menu, select the
cloudsql.iam_authenticationflag. Make sure thatOn is selected as the value for this flag, and then clickDone. - Configure other instance settings, as needed. For more information aboutsettings, seeSettings.
- ClickCreate Instance.
gcloud
Rungcloud sql instances createwith the--database-flags parameter set tocloudsql.iam_authentication=on.
Replace the following:
- INSTANCE_NAME: the name of the new instance.
- POSTGRES_VERSION: the PostgreSQL version (such as POSTGRES_9_6, POSTGRES_10, POSTGRES_11, or POSTGRES_12).
- NUMBER_OF_CORES: the number of cores in the machine.
- AMOUNT_OF_MEMORY: the amount of memory in the machine. A size unit should be provided (such as, 3072MiB or 9GiB).
- ZONE: preferred Compute Engine zone (such as us-central1-a, or us-central1-b).
- PASSWORD: create a password for the root user.
gcloudsqlinstancescreateINSTANCE_NAME\--database-version=POSTGRES_VERSION\--cpu=NUMBER_OF_CORES\--memory=AMOUNT_OF_MEMORY\--zone=ZONE_NAME\--root-password=PASSWORD\--database-flags=cloudsql.iam_authentication=on
Terraform
To create an instance with IAM database authentication enabled,use aTerraform resource.
resource "google_sql_database_instance" "default" { name = "postgres-db-auth-instance-name-test" region = "us-west4" database_version = "POSTGRES_14" settings { tier = "db-custom-2-7680" database_flags { name = "cloudsql.iam_authentication" value = "on" } }}Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (alsocalled aroot module).
- InCloud Shell, create a directory and a new file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
- Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
REST v1
Don't include sensitive or personally identifiable information (PII) in yourinstance name; it is externally visible.
You don't need to include the project ID in the instance name. The projectID is included automatically where needed (for example, in the logfiles).
Before using any of the request data, make the following replacements:
- INSTANCE_ID: the desired instance ID
- REGION: the desired region, such as us-east-1
- PROJECT_ID: the project ID
- LOCATION_ID: the location ID
- DATABASE_VERSION: enum string of the database version. For example:
POSTGRES_12 - PASSWORD: the password for the root user
- MACHINE_TYPE: enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances
Request JSON body:
{ "name": "INSTANCE_ID", "region": "REGION", "databaseVersion": "DATABASE_VERSION", "rootPassword": "PASSWORD", "settings": { "tier": "MACHINE_TYPE", "backupConfiguration": { "enabled": true }, "databaseFlags": [ { "name": "cloudsql.iam_authentication", "value": "on" } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-01T19:13:21.834Z", "operationType": "CREATE", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}REST v1beta4
Don't include sensitive or personally identifiable information (PII) in yourinstance name; it is externally visible.
You don't need to include the project ID in the instance name. The projectID is included automatically where needed (for example, in the logfiles).
Before using any of the request data, make the following replacements:
- INSTANCE_ID: the desired instance ID
- REGION: the desired region, such as us-east-1
- PROJECT_ID: the project ID
- LOCATION_ID: the location ID
- DATABASE_VERSION: enum string of the database version. For example:
POSTGRES_12 - PASSWORD: the password for the root user
- MACHINE_TYPE: enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances
Request JSON body:
{ "name": "INSTANCE_ID", "region": "REGION", "databaseVersion": "DATABASE_VERSION", "rootPassword": "PASSWORD", "settings": { "tier": "MACHINE_TYPE", "backupConfiguration": { "enabled": true }, "databaseFlags": [ { "name": "cloudsql.iam_authentication", "value": "on" } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-01T19:13:21.834Z", "operationType": "CREATE", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}Configure existing instances for IAM database authentication
To configure an existing Cloud SQL instance for IAM database authentication, you need toenable thecloudsql.iam_authentication flag.After you enable this flag, you can add IAM users, serviceaccounts, or groups to the Cloud SQL instance.
To configure an existing Cloud SQL instance to use IAM database authentication:
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- ClickEdit.
- In theCustomize your instance section, expandFlags.
- ClickAdd Flag.
- From theChoose a flag menu, select the
cloudsql.iam_authenticationflag. Make sure thatOn is selected as the value for this flag, and then clickDone. - Configure other instance settings, as needed. For more information aboutsettings, seeSettings.
- ClickSave.
gcloud
For information about installing and getting started with the gcloud CLI, seeInstall the gcloud CLI. For information about starting Cloud Shell, seeUse Cloud Shell.
For this procedure, usegcloud sql instances patch.
Replace the following:
- INSTANCE_NAME: the name of the new instance.
gcloudsqlinstancespatchINSTANCE_NAME\--database-flags=cloudsql.iam_authentication=on
This resets all other existing database flag settings. For further guidance on setting database flags, seeSet a database flag.
REST v1
Before using any of the request data, make the following replacements:
- PROJECT_ID: the project ID
- LOCATION_ID: the location ID
- INSTANCE_ID: the desired instance ID
- REGION: the desired region
- DATABASE_VERSION: enum string of the database version. For example:
POSTGRES_12 - PASSWORD: the password for the root user
- MACHINE_TYPE: enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances
Request JSON body:
{ "name": "INSTANCE_ID", "region": "REGION", "databaseVersion": "DATABASE_VERSION", "rootPassword": "PASSWORD", "settings": { "tier": "MACHINE_TYPE", "backupConfiguration": { "enabled": true } "databaseFlags": [ { "name": "cloudsql.iam_authentication", "value": "on" } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-01T19:13:21.834Z", "operationType": "CREATE", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}REST v1beta4
Before using any of the request data, make the following replacements:
- PROJECT_ID: the project ID
- LOCATION_ID: the location ID
- INSTANCE_ID: the desired instance ID
- REGION: the desired region
- DATABASE_VERSION: enum string of the database version. For example:
POSTGRES_12 - PASSWORD: the password for the root user
- MACHINE_TYPE: enum string of the machine (tier) type, as:
db-custom-[CPUS]-[MEMORY_MBS]
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances
Request JSON body:
{ "name": "INSTANCE_ID", "region": "REGION", "databaseVersion": "DATABASE_VERSION", "rootPassword": "PASSWORD", "settings": { "tier": "MACHINE_TYPE", "backupConfiguration": { "enabled": true } "databaseFlags": [ { "name": "cloudsql.iam_authentication", "value": "on" } ] }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/locations/LOCATION_ID/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-01T19:13:21.834Z", "operationType": "CREATE", "name": "OPERATION_ID", "targetId": "INSTANCE_ID", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID", "targetProject": "PROJECT_ID"}What's next
- Learn more aboutIAM database authentication.
- Learn how toconfigure read replica logins for IAM database authentication.
- Learn how tocreate users and service accounts that use Cloud SQL IAM database authentication.
- Learn how tolog in to a Cloud SQL database using IAM database authentication.
- Learn how tomanage users and service accounts for IAM database authentication.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-16 UTC.