Create and manage users

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to enable and use Cloud SQL built-in authentication.

For additional information about users you create using Cloud SQL, seeOther SQL Server users.

Before creating users

  1. Create a Cloud SQL instance. For more information, seeCreate instances.
  2. If you plan to use your database's administrative client to manage users,configure the default user on the instance by setting the password.SeeSet the password for the default user account.

Set the password for the default user account

When you create a new Cloud SQL instance, you must set a password for thedefault user account before you can connect to the instance.

For Cloud SQL for SQL Server, the default user issqlserver.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Find thesqlserver user and selectChange password from the more actions menuMore actions icon..
  5. Provide a strong password that you can remember and clickOK.

gcloud

Use thegcloud sql users set-password command as follows to set the password for the default user.

ReplaceINSTANCE_NAME with the name of the instance before running the command.

gcloudsqlusersset-passwordsqlserver\--instance=INSTANCE_NAME\--prompt-for-password

REST v1

To update the password for the default user account, use a PUT request with the users:update method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

To update the password for the default user account, use a PUT request with theusers:update method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Create a user

Aftersetting up the default user account, you can create other users.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. ClickAdd user account.
  5. In theAdd a user account to instanceinstance_name page, add the following information:
    • AUsername.
    • APassword (optional).
  6. ClickAdd.

gcloud

To create a user, use thegcloud sql users create command.

Replace the following:

  • USER_NAME: The user name.
  • INSTANCE_NAME: The name of the instance.
  • PASSWORD: The password for the user.
gcloudsqluserscreateUSER_NAME\--instance=INSTANCE_NAME\--password=PASSWORD

User name length limits are the same for Cloud SQL as foron-premises SQL Server.

Terraform

To create a user, use aTerraform resource.

resource "random_password" "pwd" {  length  = 16  special = false}resource "google_sql_user" "user" {  name     = "user"  instance = google_sql_database_instance.instance.name  password = random_password.pwd.result}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

  1. LaunchCloud Shell.

  2. Set the default Google Cloud project where you want to apply your Terraform configurations.

    You only need to run this command once per project, and you can run it in any directory.

    export GOOGLE_CLOUD_PROJECT=PROJECT_ID

    Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

  1. InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
    mkdirDIRECTORY && cdDIRECTORY && touch main.tf

  2. If you are following a tutorial, you can copy the sample code in each section or step.

    Copy the sample code into the newly createdmain.tf.

    Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

  3. Review and modify the sample parameters to apply to your environment.
  4. Save your changes.
  5. Initialize Terraform. You only need to do this once per directory.
    terraform init

    Optionally, to use the latest Google provider version, include the-upgrade option:

    terraform init -upgrade

Apply the changes

  1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
    terraform plan

    Make corrections to the configuration as necessary.

  2. Apply the Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

    Wait until Terraform displays the "Apply complete!" message.

  3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

Delete the changes

To delete your changes, do the following:

  1. To disable deletion protection, in your Terraform configuration file set thedeletion_protection argument tofalse.
    deletion_protection =  "false"
  2. Apply the updated Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

  1. Remove resources previously applied with your Terraform configuration by running the following command and enteringyes at the prompt:

    terraform destroy

REST v1

To create a user, use a POST request with theusers:insert method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The password for the user

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:44:16.656Z",  "startTime": "2020-02-07T22:44:16.686Z",  "endTime": "2020-02-07T22:44:20.437Z",  "operationType": "CREATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

User name length limits are the same for Cloud SQL as foron-premises SQL Server.

REST v1beta4

To create a user, use a POST request with theusers:insert method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The password for the user

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:44:16.656Z",  "startTime": "2020-02-07T22:44:16.686Z",  "endTime": "2020-02-07T22:44:20.437Z",  "operationType": "CREATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

User name length limits are the same for Cloud SQL as foron-premises SQL Server.

List users

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.

gcloud

Use thegcloud sql users list command to list the users for this instance:

gcloudsqluserslist\--instance=INSTANCE_NAME

REST v1

To list the users defined for an instance, use a GET request with theusers:list method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#usersList",  "items": [    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "sqlserver",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-1",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-2",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      ...    },    {      ...    }  ]}

Note: Theusers.list API supports only response payloads thatinclude up to 4 MB of text or roughly 12,000 users.

If your database hasa large number of users that exceeds these limits, then a request to list usersmight result in an error. If this occurs, then to get the list of users, werecommend that you run the request directly from the database.

REST v1beta4

To list the users defined for an instance, use a GET request with theusers:list method.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#usersList",  "items": [    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "sqlserver",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-1",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      "kind": "sql#user",      "etag": "--redacted--",      "name": "user-id-2",      "host": "",      "instance": "instance-id",      "project": "project-id",      "sqlserverUserDetails": {        "serverRoles": [          "CustomerDbRootRole"        ]      }    },    {      ...    },    {      ...    }  ]}

Note: Theusers.list API supports only response payloads thatinclude up to 4 MB of text or roughly 12,000 users.

If your database hasa large number of users that exceeds these limits, then a request to list usersmight result in an error. If this occurs, then to get the list of users, werecommend that you run the request directly from the database.

Note: You can't use the Google Cloud console orgcloud to display system users.

Change a user password

User passwords can be changed in one of the following ways.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Click more actionsMore actions icon. for the user you want to update.
  5. SelectChange password.
  6. Specify a new password.
  7. ClickOK.

gcloud

Use thegcloud sql users set-password command to change a password.

Replace the following:

  • USER_NAME: The user name.
  • INSTANCE_NAME: The name of the instance.
gcloudsqlusersset-passwordUSER_NAME\--instance=INSTANCE_NAME\--prompt-for-password

REST v1

To change a user password, use a PUT request with theusers:update method.

The following request updates the password for the user accountuser_name.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The new password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

To change a user password, use a PUT request with theusers:update method.

The following request updates the password for the user accountuser_name.

Before using any of the request data, make the following replacements:

  • project-id: Your project ID
  • instance-id: The desired instance ID
  • user-id: The ID of the user
  • password: The new password for the user

HTTP method and URL:

PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id

Request JSON body:

{  "name": "user-id",  "password": "password"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PUT \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PUT `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "UPDATE_USER",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Remove a user

The default user can remove users.

Before removing a user, you must drop all the objects it owns or reassign theirownership, and revoke any privileges the role has been granted on other objects.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectUsers from the SQL navigation menu.
  4. Click more actionsMore actions icon. for the user you want to remove.
  5. SelectRemove and then selectRemove again.

gcloud

Use thegcloud sql users delete command to remove a user.

Replace the following:

  • USER_NAME: The user name.
  • INSTANCE_NAME: The name of the instance.
gcloudsqlusersdeleteUSER_NAME\--instance=INSTANCE_NAME

REST v1

The request below uses theusers:delete method to delete the specified user account.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: Your project ID
  • INSTANCE_ID: The desired instance ID
  • USERNAME: The email address for the user or service account

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "DELETE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

The request below uses theusers:delete method to delete the specified user account.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: Your project ID
  • INSTANCE_ID: The desired instance ID
  • USERNAME: The email address for the user or service account

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "DONE",  "user": "user@example.com",  "insertTime": "2020-02-07T22:38:41.217Z",  "startTime": "2020-02-07T22:38:41.217Z",  "endTime": "2020-02-07T22:38:44.801Z",  "operationType": "DELETE_USER",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Update user properties

For information related to database-level roles in SQL Server, seeWorking with Database-Level Rolesin the SQL Server documentation.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-18 UTC.