IAM authentication
Google Cloud offers Identity and Access Management (IAM), which lets you giveaccess to specific Google Cloud resources and prevent unwantedaccess to other resources. This page describes how Cloud SQL is integrated withIAM .For a detailed description of Google Cloud IAM, seeIAM documentation.
Cloud SQL provides a set ofpredefined rolesdesigned to help you control access to your Cloud SQL resources. You canalso create your owncustom roles,if the predefined roles don't provide the sets of permissions you need.In addition, the legacy basic roles (Editor, Viewer, and Owner) are also stillavailable to you, although they don't providethe same fine-grained control as the Cloud SQL roles. In particular, thebasic roles provide access to resources across Google Cloud, rather than justfor Cloud SQL. For more information about basic Google Cloud roles, seeBasic roles.
You can set an IAM policy at any level in theresource hierarchy: theorganization level, the folder level, or the project level.Resources inherit the policies of all of their parent resources.
Cloud SQL for SQL Server supports IAM authentication for instance andbackup operations only. IAM authentication isn't supported fordatabase operations. Use the following authentication options for databaseoperations and queries:
- Built-in database authentication using username and passwords
- Customer-managed Active Directory
- Managed Service for Microsoft Active Directory
IAM references for Cloud SQL
- Required permissions for common tasks in the Google Cloud console
- Required permissions for
gcloud sqlcommands - Required permissions for Cloud SQL Admin API methods
- Predefined Cloud SQL IAM roles
- Permissions and their roles
- Custom roles
IAM authentication concepts
When using IAM authentication, permission to access a resource(a Cloud SQL instance) isn't granteddirectly to the end user. Instead,permissions are grouped intoroles, and roles are granted toprincipals. Formore information, see theIAM overview.
IAM policies involve the following entities:
- Principals. In Cloud SQL, you can use two types of principals: auser account, and aservice account (for applications).For more information, seeConcepts related to identity.
- Roles. A role is a collection of permissions. You can grant roles toprincipals to provide them with the privileges required to accomplishspecific tasks. For more information about IAM roles,seeRoles.
- Resource. The resources that principals access are Cloud SQLinstances. By default, IAM policy bindings are applied at theproject-level, such that principals receive role permissions for allCloud SQL instances in the project.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.