Cloud SQL built-in database authentication

This page describes how built-in authentication works on Cloud SQL instances and how database administrators can set password policies for local database users.


Authentication is the process of verifying the identity of a user who is attempting to access an instance. Cloud SQL uses the following types of authentication for database users:

  • The database's built-in authentication uses a username and a password to authenticate local database users. The current page describes this type of authentication.
  • IAM database authentication uses IAM to authenticate a user. For more information, see Overview of Cloud SQL IAM database authentication.

Although IAM database authentication is more secure and reliable, you might prefer to use built-in authentication or a hybrid authentication model that includes both authentication types.

You might create and manage local database users locally within a database to allow specific persons or applications to access a database. Such database users own the objects they create in the database. Cloud SQL offers strong built-in password enforcement. You can define and enable such enforcement through password policies.

Instance password policies

You can set a password policy at the instance level when you create an instance.

A password policy for an instance can include the following options:

  • Minimum length: specify the minimum number of characters that the password must have.
  • Password complexity: check if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.
  • Restrict password reuse: specify the number of previous passwords that you can't reuse.

    Supported only on Cloud SQL for MySQL 8.0.

  • Disallow username: prevent the use of the username in the password.

You need to explicitly enable a password policy at the instance level. You can modify it later by editing the instance.

User password policies

While creating a user, you can set the following password usage restrictions:

  • Set password to expire: specify the number of days after which the password expires and you need to create a new one.
  • Lock after failed attempts: specify the number of times that you can try the password incorrectly before the account is locked.
  • Require current password when password is changed: require you to enter your existing password when attempting to change it.

You can also modify user password policies.

The status of a user, indicating whether their password has expired or they're locked out, is visible when you list the users of the instance. You can unlock users and change the password from the Users page.

Cloud SQL built-in authentication for read replicas

You manage password policies for replicas on the primary instance. You can't separately modify password policies for read replicas.

When you promote an instance, you need to re-enable the instance password policy, along with the policy options.

What's next