Files
wehub-resource-sync bb5c75ce05
Component Security Validation / Security Audit (push) Has been cancelled
Deploy to Cloudflare Pages / deploy (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:38:58 +08:00

2.9 KiB

Cloud SQL IAM & Security

Cloud SQL uses Identity and Access Management (IAM) to control access to instances and databases.

Predefined IAM Roles

Predefined Role Usage
roles/cloudsql.admin Full control over all Cloud SQL resources.
roles/cloudsql.editor Manage Cloud SQL resources. Cannot see or modify

permissions, nor modify users or ssl Certs. Cannot import data or restore from a backup, nor clone, delete, or promote instances. Cannot start or stop replicas. Cannot delete databases, replicas, or backups. | | roles/cloudsql.viewer | Read-only access to Cloud SQL resources. | | roles/cloudsql.client | Connectivity access to Cloud SQL instances from App Engine and the Cloud SQL Auth Proxy. Not required for accessing an instance using IP addresses. | | roles/cloudsql.instanceUser | Permission to log in to a Cloud SQL instance. | | roles/cloudsql.schemaViewer | Role allowing access to a Cloud SQL instance schema in Knowledge Catalog. | | roles/cloudsql.studioUser | Role allowing access to Cloud SQL Studio. |

Secure Connectivity

  • Cloud SQL Auth Proxy: The recommended way to connect securely. It provides IAM-based authentication and end-to-end encryption without requiring SSL/TLS certificates or authorized networks.

  • Private IP: Use VPC, private services access, or Private Service Connect (PSC) to keep database traffic within the Google Cloud network.

  • Authorized Networks: If using Public IP, restrict access to specific CIDR ranges.

Data Security

  • Encryption at Rest: All data is encrypted by default. Use Customer-Managed Encryption Keys (CMEK) for additional control.

  • IAM Database Authentication: Authenticate to the database using IAM users or service accounts instead of static passwords (available for MySQL and PostgreSQL).

Organization Policies

  • Cloud SQL organization policies: Organization policies let organization administrators set restrictions on how users can configure instances under that organization.

Service Accounts

  • Service Identity: Cloud SQL uses an instance service account (p[PROJECT_NUMBER]-[UNIQUE_ID]@gcp-sa-cloud-sql.iam.gserviceaccount.com) for tasks like exporting a SQL dump file to Cloud Storage. Service agent accounts (service-PROJECT_NUMBER@gcp-sa-cloud-sql.iam.gserviceaccount.com) are used only for internal management tasks.

  • App Connectivity: Grant the service account running your app (e.g., on Cloud Run or GKE) the roles/cloudsql.client role.

For more information, see: