Roles and permissions
This page provides information about Identity and Access Management (IAM) rolesand permissions and how they're used with Cloud SQL instances.
Introduction
This page focuses on aspects of IAM that are relevantspecifically to Cloud SQL. For a detailed discussion ofIAM and its features generally, seeIdentity and Access Management. Inparticular, see theManaging IAM Policies section.IAM lets you control who has access to theresources in your Google Cloud project. The set of access rules you apply to aresource is called an IAMpolicy. An IAM policyapplied to your project defines the actions that users can take on all resourceswithin your project.
Members are the "who" of IAM. Members can be individual users,groups, domains, or even the public as a whole. Members are assignedroles,which grant members the ability to perform actions in Cloud SQL aswell as Google Cloud more generally. Each role is a collection of one ormorepermissions. Permissions are the basic units of IAM: eachpermission lets you perform a certain action. SeeIAM roles in Cloud SQLandIAM permissions in Cloud SQLfor complete lists of all the roles and permissions available in Cloud SQL.
When you use an account to connect to a Cloud SQLinstance, the account must have theCloud SQL > Client role (roles/cloudsql.client), whichincludes thepermissionsrequired for connecting.
You can add roles to an account in the Console on theIAM & Admin > IAM page, and see which permissions belong to which roles on theIAM & Admin > Rolespage.
Cloud SQL uses service accounts for authentication between Cloud SQLand other Google Cloud products. Service accounts providecredentials inJSON format, which you download from the Console and use for authenticationin various scenarios.
Cloud SQL roles and permissions with Cloud SQL Auth Proxy
If you are connecting to a Cloud SQL instance from a Compute Engineinstance usingCloud SQL Auth Proxy,you can use the default Compute Engine service account associated with theCompute Engine instance.
As with all accounts connecting to a Cloud SQL instance, the serviceaccount must have theCloud SQL > Client role.
Cloud SQL roles and permissions with serverless options
Google Cloudserverless options includeApp Engine andCloud Run.Use a service account to authorize access from these options. The serviceaccount authorizes access to all Cloud SQL in a specific project. When youcreate an application or a Cloud Run functions, this servicecreates this account for you. You can find the account on theIAM & Admin > IAM page, with the appropriate suffix:
| Serverless option | Service account suffix |
|---|---|
| App Engine | @gae-api-prod.google.com.iam.gserviceaccount.com |
| Cloud Run functions | @appspot.gserviceaccount.com |
| Cloud Run | compute@developer.gserviceaccount.com |
The caller does not have permission Connection matched pg_hba.conf line 20: "local all +cloudsqliamuser cloudsql-iam-user" error message appears when the service account connects to the instance, add theCloud SQL Instance User role to the account.Cloud SQL roles and permissions with Cloud Storage
The import and export features in Cloud SQL work together. Exportswrite to Cloud Storage and imports read from there. For this reason, theservice account you use for these operations needs both read and writepermissions to Cloud Storage:
- To import data to, and export data from, Cloud Storage, the Cloud SQLinstance's service account must have the
storage.objectAdminIAM role set in the project. Youcan find the instance's service account name in the Google Cloud console on yourinstance'sOverview page. - You can use the
gcloudstorage buckets add-iam-policy-bindingcommand to grant thisIAM roleto the service account for the bucket. - For help with setting IAM roles and permissions, seeUsingIAM permissions.
- For more information,seeIAM for Cloud Storage.
Cloud SQL roles and permissions with IAM group authentication
When you use IAM group authentication, you create groups. You can then use thegroups to manage access and database privileges to your Cloud SQL instances.
The following table lists the roles that are required to manage IAM group authentication.
| Action | Roles |
|---|---|
| Create, view, and manage groups. |
|
| View the IAM group membership change log. |
|
| Grant, view, and set IAM permissions at the project level. |
|
| Grant, view, and set IAM permissions at the folder level. |
|
The administrator can grantCloud SQL rolesor give individualCloud SQL permissionsto each group. The members of each group inherit roles and permissions.
Cloud SQL roles and permissions for Dataplex Universal Catalog integration
To provide access to Cloud SQL metadata on Dataplex Universal Catalog, youcan grant a user theroles/cloudsql.schemaViewer role or add thecloudsql.schemas.view permission to a custom role.
For more information, seeManage Cloud SQL resources with Dataplex Universal Catalog.
Permission to access private Cloud SQL instances
When another Google Cloud service, such as BigQuery, needs tocommunicate with your Cloud SQL instance to access data and make queries against thisdata over a private connection, the service uses aninternal path instead of the private IPaddresses inside of the Virtual Private Cloud (VPC). Traffic can't be controlled orrestricted with any VPC-level configurations, firewall rules, route policies, orcutting of the peering.
Instead, Cloud SQL offers a configuration flag on your instance to controlwhether to turn this internal path on or off for other Google Cloud services accessingyour database.
Control and revoke the permission
When another Google Cloud service, such as BigQuery, tries toaccess your private Cloud SQL instance, it must provide a legitimate identitywith thecloudsql.instances.connect IAM permission.
Typically, there are two ways that a service can achieve this:
- Forwarding the user's credentials. A service can forward the user's IAM identity to Cloud SQL to evaluate the permission to access an instance. In this scenario, the user must have sufficient IAM permissions so that Cloud SQL can make a successful connection.
Using a service account. A service, such as BigQuery, can use a pre-configured service account to connect to a Cloud SQL instance. In this case, the service account must have sufficient IAM permissions.
For example, for the federated connection between BigQuery and Cloud SQL, a service account named
service-{PROJECT_NUMBER}@gcp-sa-bigqueryconnection.iam.gserviceaccount.comis created when the BigQuery connection API is activated. This service account has two Cloud SQL permissions:cloudsql.instances.connectandcloudsql.instances.get. BigQuery uses these permissions to access a private Cloud SQL instance through aninternal path.
To control the permission for who can use this internal path, you can grant andrevoke the IAM permissions to and from the user's IAM identity that theGoogle Cloud service, such as BigQuery, uses to connect to yourCloud SQL instance. For more information about granting and revoking permissionswithin BigQuery, seeSetting up access to Cloud SQL.
Cloud SQL roles and permissions with other scenarios
Cloud SQL interacts with other Google Cloud products and tools.These interactions also require specific roles and permissions which can varybetween scenarios. Cloud SQL documentation provides detailedinformation about these requirements for each case below:
- Connecting toCloud SQL from external applications.
- Using customer-managed encryption keys (CMEK).
- IAM Roles for Administering VPC Service Controls.
- To connect to a Cloud SQL instance from an application running in Google Kubernetes Engine,you will need to create aSecret for aservice account's JSON key file.
Use IAM with projects
The following sections show how to complete basic IAM tasks onprojects.
To complete the following tasks, you must have theresourcemanager.projects.getIamPolicy andresourcemanager.projects.setIamPolicy IAM permissions.
Add a member to a project-level policy
For a list of roles associated with Cloud SQL,seeIAM Roles.
Console
- Go to theIAM & Admin page inthe Google Cloud console
- In the project drop-down menu on the top bar, select the project to whichyou want to add a member.
- ClickAdd. TheAdd members, roles to project dialog appears.
- In theNew members field, specify the name of the entity to which youare granting access.
- In theSelect a role drop down, grant the appropriate role to themember.Roles that affect Cloud SQL resources are found in theProject andCloud SQL submenus.
- ClickSave.
gcloud
To add a project-level IAM policy, usegcloud beta projects add-iam-policy-binding.
View the IAM policy for a project
Console
- Go to theIAM & Admin page inthe Google Cloud console
- In the project drop-down menu on the top bar, select the project whosepolicy you want to view.
- There are two ways to view permissions for the project:
- View byMembers: View theRole column associated with individualmembers to see which roles each member has.
- View byRoles: Use the drop-down associated with individualroles to see which members have the role.
gcloud
To view the IAM policy of a project, usegcloud beta projects get-iam-policy.
Remove a member from a project-level policy
Console
- Go to theIAM & Admin page inthe Google Cloud console
- In the project drop-down menu on the top bar, select the project fromwhich you want to remove a member.
- Make sure you are viewing permissions byMembers, and select themembers you want to remove.
- ClickRemove.
- In the overlay window that appears, clickConfirm.
gcloud
To remove a project-level IAM policy, usegcloud beta projects remove-iam-policy-binding.
Best practices
IAM, like any other administrative settings, requires activemanagement to be effective. Before you make a resource accessible toother users, be sure you know what roles you want each of those people to play.Over time, changes in project management, usage patterns, and organizationalownership may require you to modify IAM settings on projects,especially if you manage Cloud SQL in a large organization or for alarge group of users. As you evaluate and plan your access control settings,keep the following best practices in mind:
Use the principle of least privilege when granting access.Theprinciple of least privilege is a security guidelinefor granting access to your resources. When you grant access based on theprinciple of least privilege, you give a user only the access they need toaccomplish their assigned task.
Avoid granting roles with
setIamPolicypermission to people you do not know.GrantingsetIamPolicypermission allows a user to change permissionsand take control of data. You should use roles withsetIamPolicypermission only when you want to delegate administrative control overobjects and buckets.Be sure you delegate administrative control of your resources.You should be sure that your resources can still be managed byother team members should an individual with administrative access leave thegroup. Two common ways to achieve this are the following:
- Assign theCloud SQL Admin role for your project to a groupinstead of an individual.
- Assign theCloud SQL Admin role for your project to at least twoindividuals.
What's next
- Learn more aboutControlling access
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.