Google Cloud offers Identity and Access Management (IAM), which lets you give
access to specific Google Cloud resources and prevent unwanted
access to other resources. This page describes how Cloud SQL is integrated with
IAM .
For a detailed description of Google Cloud IAM, see
IAM documentation.
Cloud SQL provides a set of predefined roles
designed to help you control access to your Cloud SQL resources. You can
also create your own custom roles,
if the predefined roles don't provide the sets of permissions you need.
In addition, the legacy basic roles (Editor, Viewer, and Owner) are also still
available to you, although they don't provide
the same fine-grained control as the Cloud SQL roles. In particular, the
basic roles provide access to resources across Google Cloud, rather than just
for Cloud SQL. For more information about basic Google Cloud roles, see
Basic roles.
You can set an IAM policy at any level in the
resource hierarchy: the
organization level, the folder level, or the project level.
Resources inherit the policies of all of their parent resources.
When using IAM authentication, permission to access a resource
(a Cloud SQL instance) isn't granted directly to the end user. Instead,
permissions are grouped into roles, and roles are granted to principals. For
more information, see the
IAM overview.
IAM policies involve the following entities:
Principals.
In Cloud SQL, you can use two types of principals: a
user account, and a service account (for applications).
For more information, see
Concepts related to identity.
Roles. A role is a collection of permissions. You can grant roles to
principals to provide them with the privileges required to accomplish
specific tasks. For more information about IAM roles,
see Roles.
Resource. The resources that principals access are Cloud SQL
instances. By default, IAM policy bindings are applied at the
project-level, such that principals receive role permissions for all
Cloud SQL instances in the project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# IAM authentication\n\n\u003cbr /\u003e\n\n[MySQL](/sql/docs/mysql/iam-authentication \"View this page for the MySQL database engine\") \\| [PostgreSQL](/sql/docs/postgres/iam-authentication \"View this page for the PostgreSQL database engine\") \\| SQL Server\n\n\u003cbr /\u003e\n\nGoogle Cloud offers Identity and Access Management (IAM), which lets you give\naccess to specific Google Cloud resources and prevent unwanted\naccess to other resources. This page describes how Cloud SQL is integrated with\nIAM .\nFor a detailed description of Google Cloud IAM, see\n[IAM documentation](/iam/docs).\n\nCloud SQL provides a set of [predefined roles](/sql/docs/sqlserver/iam-roles)\ndesigned to help you control access to your Cloud SQL resources. You can\nalso create your own [custom roles](/sql/docs/sqlserver/iam-roles#custom-roles),\nif the predefined roles don't provide the sets of permissions you need.\nIn addition, the legacy basic roles (Editor, Viewer, and Owner) are also still\navailable to you, although they don't provide\nthe same fine-grained control as the Cloud SQL roles. In particular, the\nbasic roles provide access to resources across Google Cloud, rather than just\nfor Cloud SQL. For more information about basic Google Cloud roles, see\n[Basic roles](/iam/docs/understanding-roles#basic).\n\nYou can set an IAM policy at any level in the\n[resource hierarchy](/iam/docs/overview#resource-hierarchy): the\norganization level, the folder level, or the project level.\nResources inherit the policies of all of their parent resources.\n\nIAM references for Cloud SQL\n----------------------------\n\n- [Required permissions for common tasks in the Google Cloud console](/sql/docs/sqlserver/iam-permissions#permissions-console)\n- [Required permissions for `gcloud sql` commands](/sql/docs/sqlserver/iam-permissions#permissions-gcloud)\n- [Required permissions for Cloud SQL Admin API methods](/sql/docs/sqlserver/iam-permissions#api-methods)\n- [Predefined Cloud SQL IAM roles](/sql/docs/sqlserver/iam-roles#roles)\n- [Permissions and their roles](/sql/docs/sqlserver/iam-roles#permissions-roles)\n- [Custom roles](/sql/docs/sqlserver/iam-roles#custom-roles)\n\nIAM authentication concepts\n---------------------------\n\nWhen using IAM authentication, permission to access a resource\n(a Cloud SQL instance) isn't granted *directly* to the end user. Instead,\npermissions are grouped into *roles* , and roles are granted to *principals* . For\nmore information, see the\n[IAM overview](/iam/docs/overview).\n\n\u003cbr /\u003e\n\nIAM policies involve the following entities:\n\n- **Principals** . In Cloud SQL, you can use two types of principals: a *user account* , and a *service account* (for applications). For more information, see [Concepts related to identity](/iam/docs/overview#concepts_related_identity).\n- **Roles** . A role is a collection of permissions. You can grant roles to principals to provide them with the privileges required to accomplish specific tasks. For more information about IAM roles, see [Roles](/iam/docs/overview#roles).\n- **Resource**. The resources that principals access are Cloud SQL instances. By default, IAM policy bindings are applied at the project-level, such that principals receive role permissions for all Cloud SQL instances in the project."]]
