This page discusses how you can control access to your Google Cloud SQL instances, including how to grant access to applications.
Contents
Levels of access control
Configuring access control for an instance is about controlling who or what can access the instance. Access control occurs on two levels. The first level authorizes access from either a Google App Engine application, identified by its application ID, or any application running on a host identified by its IP address. The second level uses the regular MySQL Access Privilege System to control which users have access to what data.
Figure 1 depicts the two levels of access control that a connection passes through to access a database resource.
- Application or host level access
To enable access to an instance from a Google App Engine application or an application running on a regular host, you must authorize the host application ID or IP address, respectively. You can do this by editing the instance and granting access as discussed in this page.
- MySQL database access
After a connection to an instance has been negotiated, the user or application is logged in to the MySQL instance using the MySQL authorization system. After you create an instance, you must set the
rootpassword if you want to connect to the instance externally from locations other than Google App Engine. For more information, see Creating users.It is strongly recommended that you set a strong password for
rootand all users you create as well as create additional users to manage finer grained access to your database. See MySQL Access Privilege System for more information about managing MySQL users.
Configuring instance-level access control
This section shows how to configure access to applications connecting to your instance.
Configuring access control for App Engine applications
You can grant individual Google App Engine applications access to a Google Cloud SQL instance. One application can be granted access to multiple instances, and multiple applications can be granted access to a particular instance. To grant access to a Google App Engine application, you need its application ID which can be found at the Google App Engine administration console under the Applications column.
Developers Console
To grant access to an App Engine application:
- Go to the Google Developers Console and select a project by clicking on the project name.
- In the sidebar on the left, click Storage > Cloud SQL to show a list of Cloud SQL instances for the project.
- Find the instance to which you want to grant access and click the instance name.
- Click Edit.
- In the Authorized App Engine Applications box, enter one or more Google App Engine application IDs.
- Click Save to apply your changes.
After you have added authorized applications to your Google Cloud SQL instance, you can view a list of these applications in the instance's Dashboard, in the section titled Authorized Applications.
For more information about Google App Engine, see the Google App Engine documentation.
To remove access for an App Engine application:
Follow the steps above and click the x next to each App Engine ID you want to remove.
Cloud SDK
To grant access to an App Engine application:
- Install the Cloud SQL command line if you haven't already (see Managing Instances Using the Cloud SDK).
- Use the
sql instances patchcommand to modify an existing instance (YOUR_INSTANCE_NAME) and grant access to the App Engine applicationgae-app-name:$ gcloud sql instances patch YOUR_INSTANCE_NAME --authorized-gae-apps GAE_APP_NAME
To remove access for an App Engine application:
- Use the
sql instances patchcommand to remove access to an existing instance (YOUR_INSTANCE_NAME) for all previously authorized App Engine applications:$ gcloud sql instances patch YOUR_INSTANCE_NAME --clear-gae-apps
cURL
To grant access to an App Engine application:
- Obtain an OAuth2 access token that you can use in the following commands.
For example, you can obtain a token by using the gauth command which is part of the Google Cloud SDK.
- List the existing authorized App Engine applications for the instance.
For more information the resources of an instance you can access with the API, see instance resource definition.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \ -X GET -
Add a new App Engine application to the existing list of authorized App Engine applications.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instance/your-instance-name \ --data '{"settings" : {"authorizedGaeApplications" : ["existing-app-engine-app", "new-app-engine-app"] }}' \ -X PATCH
To remove access for an App Engine application:
-
To revoke access for an App Engine application use the following command.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \ --data '{"settings" : {"authorizedGaeApplications" : [""]}}' \ -X PATCH
Configuring access control for IP connections
You can grant any application access to a Google Cloud SQL instance by authorizing the IP addresses that the application uses to connect. This includes connecting from a Google Compute Engine (GCE) instance. If you are connecting from App Engine, you do not need to configure access for IP addresses, you need only specify the App Engine identifier (see Configuring access control for App Engine applications).
To find out the IP address of a computer running your application so that you can authorize access to your Cloud SQL instance from that address, do the following:
- If the computer is not behind a proxy, log in to the computer and determine its IP address. You can use a command line tool like ifconfig (for Linux or Mac OS X) or ipconfig (Windows), or use a browser to determine your IP address (for example, search for What's My IP).
- If the computer is behind a proxy, log in to the computer and use a tool or service like Proxy Test to determine its true IP address.
- If the computer running your application is assigned an IP address that can change over time, i.e., it is dynamically assigned, see Authorizing applications with dynamically assigned IP addresses.
You can not specify a private network (for example, 10.x.x.x) as an authorized network.
Google Cloud SQL supports connections over IPv4 and IPv6 addresses. You can connect using either protocol, or both. If you are connecting to your instance over IPv4, you must assign an IPv4 address to your Cloud SQL instance for external access to succeed. If you are connecting to your instance over IPv6, you do not have to assign an address. Each Cloud SQL instance has an IPv6 address automatically assigned to it. You are charged for assigned IPv4 addresses that are idle (see pricing). IPv6 addresses are free. To connect via IPv6, you will have to grant access to the IPv6 addresses your connections will be coming from.
Developers Console
To grant access to an external application:
- Go to the Google Developers Console and select a project by clicking on the project name.
- In the sidebar on the left, click Storage > Cloud SQL to show a list of Cloud SQL instances for the project.
- Find the instance to which you want to grant access and click the instance name.
- Click Edit.
- If are connecting over IPv4, assign an address to the instance.
In the IPv4 Address section, click Assign an IPv4 address to my
Cloud SQL instance to assign one to the instance. Note that you are charged
when you assign an IPv4 address and the instance address is idle. For more information, see the
pricing page.
If you are connecting over IPv6, you do not need to assign an address to the instance because an IPv6 address is automatically assigned to it. You are not charged for using the IPv6 address.
In the Authorized Networks box, enter one or more IP addresses to whitelist using CIDR notation. Some points to keep in mind:
- If you are connecting over IPv4, authorize IPv4 addresses. If you are connecting over IPv6, authorize IPv6 addresses.
- If you are using a GCE instance you need to define an external IP address for that instance. For more information, see External Addresses.
Figure 2 shows an instance with an IPv4 address assigned and a whitelisted IPv4 address range.
Figure 2: Authorizing IPv4 addresses. Figure 3 shows a whitelisted IPv6 address range.
Figure 3: Authorizing IPv6 addresses. - When you are done, click Save to update the instance.
To remove access for an external application:
Follow the steps above and click the x next to each address in the Authorized Networks box that you want to remove.
Cloud SDK
To grant access to an external application:
- Install the Cloud SQL command line if you haven't already (see Managing Instances Using the Cloud SDK).
- Use the
sql instances patchcommand to modify an existing instance (YOUR_INSTANCE_NAME) and grant access to an IP rangeip-address-range:$ gcloud sql instances patch YOUR_INSTANCE_NAME --authorized-networks IP_ADDRESS_RANGE
- Use the
sql instances patchcommand to assign an IP address to the instance:$ gcloud sql instances patch YOUR_INSTANCE_NAME --assign-ip
- Use the
sql instances describecommand to retrieve the IP address assigned:$ gcloud sql instances describe YOUR_INSTANCE_NAME
In the output, find the "ipAddress" field. This value is what you will use in your connection strings.
To remove access for all external applications:
- Use the
sql instances patchcommand to remove access to an instance (YOUR_INSTANCE_NAME) for all previously authorized IP addresses:$ gcloud sql instances patch YOUR_INSTANCE_NAME --clear-authorized-networks
cURL
To grant access to external applications:
- Obtain an OAuth2 access token that you can use in the following commands.
For example, you can obtain a token by using the gauth command which is part of the Google Cloud SDK.
- List the existing authorized IP ranges.
For more information the resources of an instance you can access with the API, see instance resource definition.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \ -X GET -
Assign a new IP range to the existing list of IP ranges.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instance/your-instance-name \ --data : '{"settings" : {"ipConfiguration" : {"enabled" : true, "authorizedNetworks": ["existing-ip-range", "new-ip-range"] }}}' \ -X PATCH
To remove access for all external applications:
-
To revoke access for all external applications use the following command.
curl --header 'Authorization: Bearer accessToken' \ --header 'Content-Type: application/json' \ https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \ --data '{"settings" : {"ipConfiguration" : {"enabled" : false }}}' \ -X PATCH
Authorizing applications with dynamically assigned IP addresses
If an external application, such as a platform as a service (PaaS) application, connects to your Google Cloud SQL instance from a dynamically assigned IP address, we recommend one of the following approaches:
- Use a proxy service so that your application appears to come from only one IP address. Add this address to the authorized networks that can connect to the instance.
- Use a CIDR range that covers all of the IP addresses from which your service might connect.
- Use the CIDR range 0.0.0.0/0, which allows all external IP addresses to connect. If you choose
to do this, then:
- Only allow SSL connections and give SSL certificates to trusted clients. For more information, see Configuring SSL for an instance.
- Any connection can spin up your instance, which has cost implications. For more information, see the FAQ How is use of my instance calculated?.