Cloud SQL Language Connectors overview

MySQL  |  PostgreSQL  |  SQL Server

This page summarizes the Cloud SQL Language Connectors and how to use themwith your instances.

Cloud SQL Language Connectors are libraries that provide encryption andIAM authorization when connecting to a Cloud SQL instance.Cloud SQL Language Connectors create authorized connections to theproxy-side server on behalf of a user's application and pass that connection tothe application's database driver. They don't provide a network path to aCloud SQL instance if one is not already present.

Cloud SQL Language Connectors use a client-side component to connect to a proxy serveron the Cloud SQL instance. The connector creates a temporary certificatethat authorizes the holder to connect to the server-side proxy. The server-sideproxy limits access to the Cloud SQL database by requiring a valid TLScertificate in order to connect.

Cloud SQL supports the following Cloud SQL Language Connectors:

Cloud SQL recommends using Cloud SQL Language Connectors to connect to yourCloud SQL instance. You can also connect to a Cloud SQLinstanceusing a database client or theCloud SQL Auth Proxy. For more information aboutconnecting to a Cloud SQL instance, seeAbout connection options.

Requirements

If your Cloud SQL instance usesshared certificate authority (CA)as itsserverCaMode, then on the client side,make sure that the Cloud SQL Language Connectors you're using meetthe following version requirements:

Note:Cloud SQL Python connectorsupports instances that use the shared CA configuration, but the connector doesn'tverify server identity.

If your Cloud SQL instance usescustomer-managed CAas itsserverCaMode, then on the client side,make sure that the Cloud SQL Language Connectors you're using meetthe following version requirements:

When an instance uses customer-managed CA as its server CA mode, you can configurethe instance with acustom DNS name.You provide the custom DNS name in thecustom subject alternative name (SAN) field of the server certificate.

After you set up a custom DNS name for the instance, you can connect to theinstance from Cloud SQL Language Connectors using the DNS name.

Benefits of Cloud SQL Language Connectors

Cloud SQL Language Connectors provide the followingbenefits with connecting to a Cloud SQL instance:

  • IAM authorization: Uses identity and access management (IAM) permissions to control who or what can connect to your Cloud SQL instances.
  • Convenience: Removes the requirement to manage SSL certificates, configure firewall rules, or enable authorized networks.

Limitations

You can't use the Cloud SQL Language Connectors if you're usingcontext-aware access andIAM database authentication. When you try to login to the instance,IAM authentication fails.

Enforce the use of Cloud SQL Language Connectors

By usingconnector enforcement, you can enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to Cloud SQL instances. With connector enforcement, Cloud SQL rejects direct connections to the database.

If you're using aPrivate Service Connect-enabled instance, then there's a limitation. If the instance has connector enforcement enabled, then you can't create read replicas for the instance. Similarly, if the instance has read replicas, then you can't enable connector enforcement for the instance.

For more information about how to enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to an instance, seeConnect using Cloud SQL Language Connectors.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.