Cloud SQL for PostgreSQL error messages

MySQL  |  PostgreSQL  |  SQL Server

This page discusses some of the error messages encountered in Cloud SQL.

Overview

Error messages in Cloud SQL come from many sources and appear in manyplaces. Some error messages come from the database engines themselves, some fromthe Cloud SQL service, some from client applications, and some arereturned by calls to the Cloud SQL Admin API.

This page includes some of the most common errors seen inCloud SQL. If you do not find the error code or message you are lookingfor here, you can look for source reference material here:

If you don't find the reference material for the error message that you're seeing,you can also search in some of these places where other users may have relevantexperience:

Operational errors

A |B |C |D |E |F |G |I |L |M |N |O |P |Q |R |S |T |U |W

Error messageTroubleshooting
Allocated IP range not found in network.VPC peerings were not updated after an allocated range was modified or removed.

You need to modify the private connection. Use the following command, and make sure to use the--force argument:

gcloudservicesvpc-peeringsupdate\--network=VPC_NETWORK\--ranges=ALLOCATED_RANGES\--service=servicenetworking.googleapis.com\--force
Error messageTroubleshooting
Bad request.This message can have many causes.Illegal Argument is one of the most common. In this case, the request is using either the wrong argument or an invalid value for the argument. For the many other causes, the error message might contain a useful hint.

ForIllegal Argument, check the request to make sure each argument is permissible and each value for the argument is valid. For all other causes,check the log files to see if there is more information there.

Error messageTroubleshooting
Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection.VPC peerings were not updated after an allocated range was modified or removed.

You need tomodify the private connection.Use the following command, and make sure to use the--force argument:

gcloudservicesvpc-peeringsupdate\--network=VPC_NETWORK\--ranges=ALLOCATED_RANGES\--service=servicenetworking.googleapis.com\--force
Connection reset by peer.

If you're trying to perform an export and Cloud Storage doesn't receive any data within a certain time frame, then the connection resets.

Try a manual export usingpg_dump.

Constraints/sql.restrictAuthorizedNetworks.The cloning operation is blocked by theAuthorized Networks configuration.Authorized Networks are configured for public IP addresses in the Connectivity section of the Google Cloud console, and cloning isn't permitted due tosecurity considerations.

Remove allAuthorized Networks entries from the Cloud SQLinstance if you can. Otherwise,create a replicawithout anyAuthorized Networks entries.

Error messageTroubleshooting
Databaseuser does not exist.gcloud sql connect --user only works with the defaultpostgres user.

Connect with the default user and then change users.

Disk is full.The primary instance disk size can become full during replica creation.

Edit the primary instance to upgrade it to a larger disk size.

Error messageTroubleshooting
Failed to create subnetwork.No more available addresses in the IP range.

Couldn't find free blocks in allocated IP ranges. Please allocate new ranges for this service provider.

There are no more available addresses in the allocated IP range.

Consider these possible scenarios:

  • The size of the allocated IP range for the private service connection is smaller than /24.
  • The size of the allocated IP range for the private service connection is too small for the number of Cloud SQL instances.
  • The requirement on the size of allocated IP range will be larger if instances are created in multiple regions. Seeallocated range size

For each of the above scenarios, you can elect to either expand the existing orallocate an additional IP range to the private service connection.

If you're allocating a new range, take care to not create an allocation that overlaps with any existing allocations.

After creating a new IP range, update the VPC peering with the following command:

gcloudservicesvpc-peeringsupdate\--service=servicenetworking.googleapis.com--ranges=OLD_RESERVED_RANGE_NAME,NEW_RESERVED_RANGE_NAME\--network=VPC_NETWORK--project=PROJECT_ID\--force

If you're expanding an existing allocation, take care to only increase the allocation range and not decrease it. For example, if the original allocation was 10.0.10.0/24, make the new allocation at least 10.0.10.0/23.

In general, if starting from a /24 allocation, decrementing the /mask by 1 for each condition (additional instance type group, additional region) is a good rule of thumb. For example, if trying to create both instance type groups on the same allocation, going from /24 to /23 is enough.

After expanding an existing IP range, update the vpc peering with following command:

gcloudservicesvpc-peeringsupdate\--service=servicenetworking.googleapis.com--ranges=RESERVED_RANGE_NAME\--network=VPC_NETWORK\--project=PROJECT_ID\--force
Error messageTroubleshooting
(gcloud.sql.connect) It seems your client does not have ipv6 connectivity and the database instance does not have an ipv4 address.You're trying to connect to your private IP instance using Cloud Shell.

Connecting from Cloud Shell to an instance with only a private IP address isn't currently supported.

Error messageTroubleshooting
Internal error.The project could be missing the Service Networking service accountrequired for this feature.

To repair service permissions, disable theService Networking API,wait five minutes and then re-enable it.

Invalid request: Incorrect Service Networking config for instance.Service Networking API isn't enabled in the project.

Enable theService Networking APIin your project. If you see this error when you're trying to assign a privateIP address to a Cloud SQL instance, and you're using a Shared VPC, youalso need to enable theService Networking API for the host project.

Error messageTroubleshooting
Network association failed.TheService Networking API isn't enabled in the project.

Enable theService Networking APIin your project. If you see this error when you're trying to assign a privateIP address to a Cloud SQL instance, and you're using a Shared VPC, youalso need to enable theService Networking API for the host project.

Error messageTroubleshooting
Operation failed because another operation was already in progress.Most operations in Cloud SQL are synchronous. You can run only one at a time.

Wait for the previous operation to finish before beginning another.

Operation isn't valid for this instance.This error is returned from an API call toinstances.restoreBackup, and it means that you cannot restore from backup to an instance with a storage size(XX GB) smaller than the backup size (YY GB).

Edit the target instance to increase its storage size.

Error messageTroubleshooting
Password authentication failed for user "postgres".When you create a new Cloud SQL for PostgreSQL instance, the default admin userpostgres is created but not the password. You need to set a password for this user before the user can log in.

Error messageTroubleshooting
Quota exceeded.You reached the limit of your per-minute or daily quota. Review thequotas and limits for Cloud SQL.

Request an increase to your quotas from theGoogle Cloud console.

Error messageTroubleshooting
Remaining connection slots are reserved.The maximum allowed connections have been reached.

Increase the value of themax_connections flag.SeeConfiguring database flags.

Request is missing a valid API key.You might not have a valid service account key JSON file, or it might not be stored in the expected location.

Verify that you have a valid service account key JSON file inthe location stored in theGOOGLE_APPLICATION_CREDENTIALSenvironment variable and that the variable points to the correct location.

Error messageTroubleshooting
SSL error: invalid padding.Server certificate error.

Create a new server certificate androtate.

System error occurred.
  • The user might not have all the Cloud Storage permissions it needs.
  • The database table might not exist.

Try these things ...

  • Check that you have at leastWRITER permissions on the bucket andREADER permissions on the export file. For more information on configuring access control in Cloud Storage, seeCreate and Manage Access Control Lists
  • Ensure the table exists. If the table does exist, confirm that you have the correct permissions on the storage bucket.

Error messageTroubleshooting
Table definition changed.During the export process a change occurred in the table.

The dump transaction can fail if you use the following statements during theexport operation:

  • ALTER TABLE
  • CREATE TABLE
  • DROP TABLE
  • RENAME TABLE
  • TRUNCATE TABLE

Remove any of these statements from the dump operation.

Temporary file size exceeds temp_file_limit.Thetemp_file_limit flag is set too low for your database usage.

Increase thetemp_file_limit size.SeeConfiguring database flags.

(Timeout) during export.CSV and SQL formats do export differently. The SQL format includes the entiredatabase and is likely to take longer to complete.

Use the CSV format and run multiple, smaller export jobs to reduce the size andlength of each operation.

Too many connections.Setting themax_connections flag value too high can cause thiserror. This can also be caused by enabling a flag out of sequence.

Lower themax_connections flag value, or contactcustomer support to request a flag removal followed by ahard drain.This forces the instance to restart on a different host with a fresh configuration,without the flag or setting.

Error messageTroubleshooting
Unauthorized to connect.There can be many causes because authorization occurs at many levels:
  • At the database level, the database user must exist and its password match
  • At the project level, the user might not have the correct IAM permissions, including theserviceusage.services.use orcloudsql.instances.connect permissions.
  • At the network level, if the Cloud SQL instance is using public IP the connection's source IP must be in an authorized network.

Try these things ...

  • Ensure the user exists and its password matches.
  • Assign theService Usage Consumer role to the user account. This role includes the permissionserviceusage.services.use.
  • If using public IP, ensure the source IP is in an authorized network.
Error messageTroubleshooting
x509: certificate isn't valid for any names.Known issue: The Cloud SQL Proxy Dialer isn't compatible with Go 1.15 at this time.

Until fixed, see this discussion on GitHub, which includes a workaround.

Unknown errors

The following table shows some known cases where anUnknown Errorcan occur, and lists specific remedies where applicable. However, this is nota complete list. If you don't find your case in the table, check with thepublic issuetracker for Cloud SQL.If you don't find the issue there, considersubmitting a report, or reviewingother support options.

OperationThe issue might be...Things to try...
Add userIf the user already exists in the database, this error can occur when you try to add them.Check to make sure the user doesn't already exist in the database.
BackupIf you see this during automated or manual backups, it's likely the instance disk is full.If the temporary file size is taking up too much space, you can restart the instance to remove the file and free up the disk space. Otherwise, you might need to upgrade your instance to a larger disk size.
CloneThis can occur when there is a shortage of resources in the selected zone.Try another zone in the region, or wait and try again later.
Create instance
  • This can occur when you are trying to re-use the same name as a recently-deleted instance.
  • It can also be caused by intermittent connectivity issues.
  • Thelogs might show that the Service Networking API is not enabled for the project.
  • The error has also been seen when trying to create multiple instances in parallel. For example, Terraform scripts make this attempt possible.
  • Another cause can be that a specific resource is exhausted or a quota limit has been exceeded. Look in the logs for an entry likeQuota 'INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK' exceeded. Limit: 100.0 globally
  • This error can occur if subnet creation fails when there are no more available addresses in the IP range.
  • Instance names cannot be re-used until about a week after deletion.
  • In the case of intermittent connectivity issues, the only remedy is to try again.
  • Enable the Service Networking API for the project.
  • Parallel instance creation scripts will only succeed in creating one of the instances. Modify the script to wait until each instance create operation is complete before continuing to the next one.
  • Allocate new ranges.
Create replicaIt's likely that a more specific error is in the log files.Inspect the logs inCloud Logging to find the actual error.

If the error isset Service Networking service account as servicenetworking.serviceAgent role on consumer project, disable and re-enable theService Networking API. This action creates the service account necessary to continue with the process.

If the error isThe instance creation failed due to a permission error with the CMEK key defined, review thekey settings and location.

ExportIf you see this while trying to export a database to a Cloud Storage bucket, the transfer may be failing due to a bandwidth issue.The Cloud SQL instance may be located in a different region than the Cloud Storage bucket. Reading and writing data from one continent to another involves a lot of network usage, and can cause intermittent issues like this.
Failover (automatic)An automatic failover operation can produce this error message when the service detects that the primary instance is still responsive.There is nothing to be done in this case. The failover won't occur because it isn't needed.
ImportThe import file may contain statements which require the superuser role.Edit the file to remove any statements which require the superuser role.

Cloud SQL also uses some third-party binaries (for example,mysqld), which can generate unknown error messages. Such errors areinternal to the third-party binaries and are outside the scope of Cloud SQL.However, sometimes a more specific error can be found in the Cloud SQL log files at around the sametime.

Also, sometimes it is anerror code that is unknown. In this case,the complete message can beUnknown Error Code.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.