About access control
This page discusses the two levels of access control for Cloud SQL
instances. You must configure both levels of access control before you can
manage your instance.
Levels of access control
Configuring access control involves controlling who or
what can access the instance. Access control occurs on two levels:
- Instance-level access
-
Instance-level access authorizes access to your Cloud SQL instance
from an application or client (running on an App Engine standard environment or externally)
or from another Trusted Cloud by S3NS service, such as Compute Engine.
- Database access
-
Database access uses
PostgreSQL roles to allow PostgreSQL users to have access to the data
in your instance.
Instance-level access
How you configure instance-level access depends on where you are connecting
from:
| Connection source |
Access configuration options |
More information |
| Compute Engine |
- Cloud SQL Auth Proxy
- Authorize static IP address
|
|
| Google Kubernetes Engine |
- Cloud SQL Auth Proxy Docker image
- Private IP
- If using Public IP, the Cloud SQL Auth Proxy is required
|
|
| App Engine standard environment |
- Same project: configure IAM
- Between projects: configure IAM
|
|
| App Engine flexible environment |
- Same project: preconfigured
- Between projects: configure IAM
|
|
| Cloud Run |
- A Cloud SQL instance set up with a public IP.
- Between projects: also configure IAM
|
|
Database access
After a user or application connects to a database instance, the user or
application must log in with a user or service account.
As part of creating a Cloud SQL instance, you set up the default user
(root) account. You can also create more users to give you finer-grained control
over access to your instance.
For more information,
see PostgreSQL users and
Creating and managing PostgreSQL users.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[],null,["# About access control\n\n\u003cbr /\u003e\n\n[MySQL](/sql/docs/mysql/instance-access-control \"View this page for the MySQL database engine\") \\| PostgreSQL \\| [SQL Server](/sql/docs/sqlserver/instance-access-control \"View this page for the SQL Server database engine\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page discusses the two levels of access control for Cloud SQL\ninstances. You must configure both levels of access control before you can\nmanage your instance.\n\nLevels of access control\n------------------------\n\nConfiguring access control involves controlling who or\nwhat can access the instance. Access control occurs on two levels:\n\nInstance-level access\n:\n Instance-level access authorizes access to your Cloud SQL instance\n from an application or client (running on an App Engine standard environment or externally)\n or from another Google Cloud service, such as Compute Engine.\n\nDatabase access\n:\n Database access uses\n [PostgreSQL roles](https://www.postgresql.org/docs/current/static/user-manag.html) to allow PostgreSQL users to have access to the data\n in your instance.\n| **Note:** For information about controlling\n| who can *manage* your instance, see\n| [Project access control](/sql/docs/project-access-control).\n\n\u003cbr /\u003e\n\n### Instance-level access\n\nHow you configure instance-level access depends on where you are connecting from:\n\n### Database access\n\nAfter a user or application connects to a database instance, the user or\napplication must log in with a user or service account.\n\nAs part of creating a Cloud SQL instance, you set up the default user\n(root) account. You can also create more users to give you finer-grained control\nover access to your instance.\n\nFor more information,\nsee [PostgreSQL users](/sql/docs/postgres/users) and\n[Creating and managing PostgreSQL users](/sql/docs/postgres/create-manage-users).\n\nWhat's next\n-----------\n\n- Learn more about [how Cloud SQL works with PostgreSQL users](/sql/docs/postgres/users).\n- Learn more about [PostgreSQL roles](https://www.postgresql.org/docs/current/static/user-manag.html).\n- Learn more about your [options for connecting from an external application](/sql/docs/postgres/connect-overview).\n- Learn about [controlling who can manage your Google Cloud Platform project](/sql/docs/postgres/roles-and-permissions)."]]
