Prevent deletion of an instance
This page describes how to protect Cloud SQL instances from accidental deletion.
Overview
Instance deletion protection enables you to prevent the accidental removal ofexisting and new instances. Using instance deletion protection, you cansafeguard instances that are important to your applications and services.
You can set the deletion protection option when you create an instance.Additionally, you can set this option on an existing instance. In both cases,deletion is prevented at the instance level. By default, the deletion protectionoption is disabled unless you use the Google Cloud console or Terraform to create aninstance.
When you clone an instance, the new instance receives the deletion protectionoption (enabled or disabled) from the source instance.
Planning for deletion protection
If you are planning to create an instance, decide whether you want to protectthe new instance from accidental deletion. For example, a critical instanceshould be protected in this way.
Also consider whether there are existing instances you want to protect fromaccidental deletion. If you have multiple instances to protect, set the optionon each instance.
Considering deletion protection for read replicas
When you create a read replica, that read replica doesn't get a deletionprotection setting from the primary instance; this setting remains independent.However, you can enable deletion protection on a new or existing read replica.
For Cloud SQL read replicas, the deletion protection option works the same wayas it does for Cloud SQL instances.
Confirming the necessary permissions or roles
To set the deletion protection option, the Cloud SQL instance's service accountmust have certainpermissions or IAM roles.
Permissions or roles for creating an instance
As in the case of related operations, the deletion protection option requiresthecloudsql.instances.create permission or thecloudsql.admin role. Thus,when you create an instance, no extra permissions are needed to enable deletionprotection.
Permissions or roles for editing an instance
As in the case of related operations, deletion protection changes require thecloudsql.instances.update permission or thecloudsql.editor role. Thus, whenyou edit an instance for deletion protection, no extra permissions are needed.
Planning for instance deletion
If you are planning to delete an instance, first do the following:
- Confirm that it is safe to delete the instance
- Confirm that deletion protection is disabled; if necessary, edit theinstance to disable deletion protection
Limitations of deletion protection
Deletion protection on an instance does not prevent:
- Stopping the instance
- Restarting the instance
- Editing the instance
- Deleting a backup
- Suspending the instance due to billing issues
- Deleting the suspended instance due to billing issues
- Deleting the instance due to a project deletion
Setting deletion protection on a new instance
The following are the ways to set the deletion protection option. By default,the deletion protection option is disabled unless you use the Google Cloud consoleor Terraform to create an instance.
If deletion protection is enabled, an attempt to delete the instance fails.
Console
- Follow the steps to begin creating an Instance.
- UnderCustomize your instance, click theShow configuration options drop down arrow.
- UnderData protection, confirm that theEnable deletion protection checkbox is checked.
- As needed for your instance, select otherconfiguration options.
- ClickCreate Instance.
gcloud
To set deletion protection during instance creation, use a command similar tothe following:
gcloudsqlinstancescreate[INSTANCE_NAME]\--deletion-protection
REST v1
To set deletion protection during instance creation, specifytrue in thedeletionProtection field.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: Desired instance ID
- database-version: The database version
- region: desired region
- machine-type: desired machine type
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances
Request JSON body:
{ "name": "instance-id", "region": "region", "databaseVersion": "database-version", "settings": { "tier": "machine-type", "deletionProtectionEnabled": true }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2022-05-24T15:34:10.929Z", "operationType": "CREATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id", "targetProject": "project-id"}REST v1beta4
To set deletion protection during instance creation, specifytrue in thedeletionProtection field.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: Desired instance ID
- database-version: The database version
- region: desired region
- machine-type: desired machine type
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances
Request JSON body:
{ "name": "instance-id", "region": "region", "databaseVersion": "database-version", "settings": { "tier": "machine-type", "deletionProtectionEnabled": true }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2022-05-26T15:37:10.929Z", "operationType": "CREATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id", "targetProject": "project-id"}Setting or removing deletion protection on an existing instance
The following are the ways to edit an instance for deletion protection. If youenable the option, a subsequent attempt to delete the instance fails.
Console
- Follow the steps to begin editing an Instance.
- After you clickEdit, find theCustomize your instance section.
- UnderData protection, check or uncheck theEnable deletion protection checkbox.
- As needed for your instance, edit otherconfiguration options.
- ClickSave.
gcloud
To enable deletion protection when you update an instance, use a commandsimilar to the following:
gcloudsqlinstancespatch[INSTANCE_NAME]\--deletion-protection
To disable deletion protection when you update an instance, use a commandsimilar to the following:
gcloudsqlinstancespatch[INSTANCE_NAME]\--no-deletion-protection
REST v1
To set deletion protection when you update an instance, specifytrue in thedeletionProtection field. To removedeletion protection, specifyfalse in that field.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: Desired instance ID
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "deletionProtectionEnabled": true }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2022-06-1T03:42:12.281Z", "operationType": "CREATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id", "targetProject": "project-id"}REST v1beta4
To set deletion protection when you update an instance, specifytrue in thedeletionProtection field. To removedeletion protection, specifyfalse in that field.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: Desired instance ID
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "deletionProtectionEnabled": true }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2022-06-1T03:32:12.281Z", "operationType": "UPDATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id", "targetProject": "project-id"}Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.