This page describes how to view and implement recommendations about setting a
user password policy for instances that don't have a user password
policy enabled for any built-in authentication user. User password policies, such as expiration and lock after failed attempts, help prevent
password compromise and help with compliance. This
recommender is called Enable user password policy.
Every day, this recommender proactively detects instances that don't
have a user password policy enabled and provides insights and
recommendations to improve your instance security. You can view insights and
detailed recommendations about these instances by using
the Google Cloud console, gcloud CLI, or the
Recommender API.
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_USER_PASSWORD_POLICY
Replace the following:
PROJECT_ID: Your project ID.
LOCATION: A region where your instances are located, such as us-central1.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
After listing the recommendations, click a recommendation.
The recommendation panel appears, which contains insights and detailed recommendations.
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=USER_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
PROJECT_ID: Your project ID.
LOCATION: A region where your instances are located, such as us-central1.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[],null,["# Improve instance security by setting user password policies\n\n\u003cbr /\u003e\n\n[MySQL](/sql/docs/mysql/recommender-set-user-password-policy \"View this page for the MySQL database engine\") \\| PostgreSQL \\| SQL Server\n\n\u003cbr /\u003e\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| You can process personal data for this feature as outlined in the\n| [Cloud Data Processing\n| Addendum](/terms/data-processing-addendum), subject to the obligations and restrictions described in the agreement under\n| which you access Google Cloud.\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to view and implement recommendations about setting a\nuser password policy for instances that don't have a user password\npolicy enabled for any built-in authentication user. User password policies, such as expiration and lock after failed attempts, help prevent\npassword compromise and help with compliance. This\n[recommender](/recommender/docs/overview) is called **Enable user password policy**.\n\nEvery day, this recommender proactively detects instances that don't\nhave a user password policy enabled and provides insights and\nrecommendations to improve your instance security. You can view insights and\ndetailed recommendations about these instances by using\nthe Google Cloud console, [gcloud CLI](/sdk/gcloud), or the\n[Recommender API](/recommender/docs/using-api).\n\nBefore you begin\n----------------\n\nEnsure that you [enable the Recommender API](/recommender/docs/enabling).\n\n### Required roles and permissions\n\nTo get the permissions to view and work with insights and recommendations,\nensure that you have the required [Identity and Access Management (IAM) roles](/sql/docs/postgres/project-access-control#roles).\n\nFor more information about IAM roles, see [IAM basic and predefined roles reference](/iam/docs/understanding-roles) and [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\nList the recommendations\n------------------------\n\nTo list the recommendations, follow these steps: \n\n### Console\n\nTo list recommendations about instance security, follow these steps:\n\n1. Go to the **Cloud SQL Instances** page.\n\n [Go to Cloud SQL Instances](https://console.cloud.google.com/sql/instances)\n2. View the **Issues** column in the instance table.\n\nAlternatively, follow these steps:\n\n1. Go to the **Recommendation Hub**.\n\n [Go to the Recommendation Hub](https://console.cloud.google.com/home/recommendations/)\n\n For more information, see [Exploring recommendations](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **All recommendations** card, click **Security**.\n\n### gcloud\n\nRun the [`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list) command as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.cloudsql.instance.SecurityRecommender \\\n--filter=recommenderSubtype=ENABLE_USER_PASSWORD_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as us-central1.\n\n### API\n\nCall the [`recommendations.list`](/recommender/docs/reference/rest/v1beta1/projects.locations.recommenders.recommendations/list) method as follows: \n\n```\nGET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_USER_PASSWORD_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n------------------------------------------\n\nTo view insights and detailed recommendations, follow these steps: \n\n### Console\n\nAfter listing the recommendations, click a recommendation.\nThe recommendation panel appears, which contains insights and detailed recommendations.\n\n### gcloud\n\nRun the [`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list) command as follows: \n\n```\n\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.cloudsql.instance.SecurityInsight \\\n--filter=insightSubtype=USER_PASSWORD_POLICY_NOT_ENABLED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\n### API\n\nCall the [`insights.list`](/recommender/docs/reference/rest/v1beta1/projects.locations.insightTypes.insights/list) method as follows: \n\n```\n\nGET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=USER_PASSWORD_POLICY_NOT_ENABLED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nApply the recommendation\n------------------------\n\n### Console\n\nTo implement the recommendation, [enable user password policies](/sql/docs/postgres/built-in-authentication#user_password_policies)\non your instance.\n\n### gcloud\n\nTo implement the recommendation, [enable user password policies](/sql/docs/postgres/built-in-authentication#user_password_policies)\non your instance.\n\n### API\n\nTo implement the recommendation, [enable user password policies](/sql/docs/postgres/built-in-authentication#user_password_policies)\non your instance.\n\nWhat's next\n-----------\n\n- [Enable user password policies](/sql/docs/postgres/built-in-authentication#user_password_policies)\n- [Google Cloud recommenders](/recommender/docs/recommenders)\n- [Blog: Maximize your Cloud ROI](https://cloud.google.com/blog/products/management-tools/active-assist-comes-to-google-cloud)"]]