Cloud SQL Language Connectors overview

This page summarizes the Cloud SQL Language Connectors and how to use them with your instances.

Cloud SQL Language Connectors are libraries that provide encryption and IAM authorization when connecting to a Cloud SQL instance. Cloud SQL Language Connectors create authorized connections to the proxy-side server on behalf of a user's application and pass that connection to the application's database driver. They don't provide a network path to a Cloud SQL instance if one is not already present.

Cloud SQL Language Connectors use a client-side component to connect to a proxy server on the Cloud SQL instance. The connector creates a temporary certificate that authorizes the holder to connect to the server-side proxy. The server-side proxy limits access to the Cloud SQL database by requiring a valid TLS certificate in order to connect.

Cloud SQL supports the following Cloud SQL Language Connectors:

• Cloud SQL Java connector
• Cloud SQL Python connector
• Cloud SQL Go connector
• Cloud SQL Node.js connector

Cloud SQL recommends using Cloud SQL Language Connectors to connect to your Cloud SQL instance. You can also to connect to a Cloud SQL instance include using a database client or the Cloud SQL Auth Proxy. For more information about connecting to a Cloud SQL instance, see About connection options.

Requirements

If your Cloud SQL instance uses shared certificate authority (CA) as its serverCaMode (Preview), then on the client side, make sure that the Cloud SQL Language Connectors you're using meet their version requirements:

• Cloud SQL Java connector: v1.21.0 or later
• Cloud SQL Go connector: v1.12.0 or later
• Cloud SQL Node.js connector: v1.4.0 or later

Benefits of Cloud SQL Language Connectors

Cloud SQL Language Connectors provide the following benefits with connecting to a Cloud SQL instance:

• IAM authorization: Uses identity and access management (IAM) permissions to control who or what can connect to your Cloud SQL instances.
• Convenience: Removes the requirement to manage SSL certificates, configure firewall rules, or enable authorized networks.

Enforce the use of Cloud SQL Language Connectors

By using connector enforcement, you can enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to Cloud SQL instances. With connector enforcement, Cloud SQL rejects direct connections to the database. You can't create read replicas for an instance that has connector enforcement enabled. Similarly, if an instance has connector enforcement enabled, then you can't create read replicas for the instance.

For more information about how to enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to an instance that has private services access configured for it, see Connect using Cloud SQL Language Connectors.

What's next

• Connect using the Cloud SQL Java Connector.
• Connect using the Cloud SQL Python Connector.
• Connect using the Cloud SQL Go Connector.
• Connect using the Cloud SQL Node.js Connector.
• Learn more about the Cloud SQL Auth Proxy.