To enable connections to a database cluster from IP addresses outside your
GDC organization, see Enable external connections.
Sign in to the GDC console with an account bound to the
project-db-admin role to find the following information for connecting to your
database cluster. This information is in the Connectivity section of the
Database Service page.
These steps include an example for connecting to the database using psql. The
exact steps will vary depending on the client software you choose.
Console
Navigate to the Connectivity section of the Database Service page
for the database cluster. This page includes:
The password of the administrator account (the username is dbsadmin)
Hostname and port number of the database cluster's primary endpoint
If the database cluster allows external connection from outside of
the organization.
A psql command for connecting to the cluster (for PostgreSQL and AlloyDB Omni database clusters)
A string for connecting to the cluster with Java Database Connectivity
(JDBC) (for Oracle database clusters)
A link to download the certificate authority (CA) certificate of the
database cluster
Download the CA certificate from the GDC console in the
Connectivity section of the Database Service page for your
database cluster.
Configure your client to use the CA certificate to verify the database. For
psql clients, set the PGSSLROOTCERT env variable to the path of the
certificate file and the PGSSLMODE env variable to your preference:
Configure your client to use the CA certificate to verify the database. For
psql clients, you can set the PGSSLROOTCERT env variable to the path
of the certificate file and the PGSSLMODE env variable to your preference:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Connect to a database cluster\n\nBy default, a database cluster only allows connection from within the\n[user cluster](/distributed-cloud/hosted/docs/latest/gdch/resources/resource-hierarchy#cluster) and the same project.\n\nTo enable connections to all database clusters in your project from another\nproject, see [Enable cross-project connections](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/db-cross-project-connect).\n\nTo enable connections to a database cluster from IP addresses outside your\nGDC organization, see [Enable external connections](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/db-external-project-connect).\n\nSign in to the GDC console with an account bound to the\n`project-db-admin` role to find the following information for connecting to your\ndatabase cluster. This information is in the **Connectivity** section of the\n**Database Service** page.\n\nThese steps include an example for connecting to the database using `psql`. The\nexact steps will vary depending on the client software you choose. \n\n### Console\n\n1. Navigate to the **Connectivity** section of the **Database Service** page\n for the database cluster. This page includes:\n\n - The password of the administrator account (the username is `dbsadmin`)\n - Hostname and port number of the database cluster's primary endpoint\n - If the database cluster allows external connection from outside of the organization.\n - A `psql` command for connecting to the cluster (for PostgreSQL and AlloyDB Omni database clusters)\n - A string for connecting to the cluster with Java Database Connectivity (JDBC) (for Oracle database clusters)\n - A link to download the certificate authority (CA) certificate of the database cluster\n2. Download the CA certificate from the GDC console in the\n **Connectivity** section of the **Database Service** page for your\n database cluster.\n\n3. Configure your client to use the CA certificate to verify the database. For\n `psql` clients, set the `PGSSLROOTCERT` env variable to the path of the\n certificate file and the `PGSSLMODE` env variable to your preference:\n\n export PGSSLROOTCERT=\u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003eaccounts_cert.pem\n export PGSSLMODE=\"verify-full\"\n\n4. Connect to the database from your client software. If you're using `psql`,\n run the following command:\n\n PGPASSWORD=\u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e psql -h \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e -p \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e -U \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e -d postgres\n\nReplace the following variables:\n\n- \u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003e: the path to the `accounts_cert.pem` certificate.\n- \u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e: the password from the console.\n- \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e: the database hostname from the console.\n- \u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e: the database port number from the console.\n- \u003cvar translate=\"no\"\u003eDB_USERNAME\u003c/var\u003e: the database username from the console.\n\n### API\n\n1. Retrieve the database endpoint from the database cluster status:\n\n kubectl get dbcluster.\u003cvar translate=\"no\"\u003eDBENGINE_NAME\u003c/var\u003e.dbadmin.gdc.goog \u003cvar translate=\"no\"\u003eDBCLUSTER_NAME\u003c/var\u003e -n \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e -o=jsonpath='{.status.primary.url}'\n\n2. Download the CA certificate from the Kubernetes secret:\n\n kubectl get secret dbs-certificates -n \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e -o json | jq -r '.data.\"dbs-\u003cvar translate=\"no\"\u003eDBENGINE_SHORT_NAME\u003c/var\u003e-cert-\u003cvar translate=\"no\"\u003eDBCLUSTER_NAME\u003c/var\u003e\"' | base64 -d \u003e \u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003eca.crt\n\n3. Configure your client to use the CA certificate to verify the database. For\n `psql` clients, you can set the `PGSSLROOTCERT` env variable to the path\n of the certificate file and the `PGSSLMODE` env variable to your preference:\n\n export PGSSLROOTCERT=\u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003eaccounts_cert.pem\n export PGSSLMODE=\"verify-full\"\n\n4. Connect to the database from your client software. If you're using `psql`,\n run the following command:\n\n PGPASSWORD=\u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e psql -h \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e -p \u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e -U \u003cvar translate=\"no\"\u003eDB_USERNAME\u003c/var\u003e -d postgres\n\nReplace the following variables:\n\n- \u003cvar translate=\"no\"\u003eDBENGINE_NAME\u003c/var\u003e: the name of the database engine. This is one of `alloydbomni`, `postgresql`, or `oracle`.\n- \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e: the name of the user project where the database cluster was created.\n- \u003cvar translate=\"no\"\u003eDBENGINE_SHORT_NAME\u003c/var\u003e: the abbreviated name of the database engine. This is one of `al` (AlloyDB Omni), `pg` (PostgreSQL), or `ora` (Oracle).\n- \u003cvar translate=\"no\"\u003eDBCLUSTER_NAME\u003c/var\u003e: the name of the database cluster.\n- \u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003e: the path to the database CA certificate.\n- \u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e: database password for administrator user.\n- \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e: the hostname from the database cluster status.\n- \u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e: the database port number from the database cluster status.\n- \u003cvar translate=\"no\"\u003eDB_USERNAME\u003c/var\u003e: with the database username (default is `dbsadmin`)."]]
