This page describes how to protect Cloud SQL instances from accidental deletion.
OverviewInstance deletion protection enables you to prevent the accidental removal of existing and new instances. Using instance deletion protection, you can safeguard instances that are important to your applications and services.
You can set the deletion protection option when you create an instance. Additionally, you can set this option on an existing instance. In both cases, deletion is prevented at the instance level. By default, the deletion protection option is disabled unless you use the Google Cloud console or Terraform to create an instance.
When you clone an instance, the new instance receives the deletion protection option (enabled or disabled) from the source instance.
Planning for deletion protectionIf you are planning to create an instance, decide whether you want to protect the new instance from accidental deletion. For example, a critical instance should be protected in this way.
Also consider whether there are existing instances you want to protect from accidental deletion. If you have multiple instances to protect, set the option on each instance.
Considering deletion protection for read replicasWhen you create a read replica, that read replica doesn't get a deletion protection setting from the primary instance; this setting remains independent. However, you can enable deletion protection on a new or existing read replica.
For Cloud SQL read replicas, the deletion protection option works the same way as it does for Cloud SQL instances.
Confirming the necessary permissions or rolesTo set the deletion protection option, the Cloud SQL instance's service account must have certain permissions or IAM roles.
Permissions or roles for creating an instanceAs in the case of related operations, the deletion protection option requires the cloudsql.instances.create permission or the cloudsql.admin role. Thus, when you create an instance, no extra permissions are needed to enable deletion protection.
As in the case of related operations, deletion protection changes require the cloudsql.instances.update permission or the cloudsql.editor role. Thus, when you edit an instance for deletion protection, no extra permissions are needed.
If you are planning to delete an instance, first do the following:
Deletion protection on an instance does not prevent:
The following are the ways to set the deletion protection option. By default, the deletion protection option is disabled unless you use the Google Cloud console or Terraform to create an instance.
If deletion protection is enabled, an attempt to delete the instance fails.
ConsoleTo set deletion protection during instance creation, use a command similar to the following:
gcloud sql instances create [INSTANCE_NAME] \
--deletion-protection REST v1
To set deletion protection during instance creation, specify true in the deletionProtection field.
Before using any of the request data, make the following replacements:
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances
Request JSON body:
{
"name": "instance-id",
"region": "region",
"databaseVersion": "database-version",
"settings": {
"tier": "machine-type",
"deletionProtectionEnabled": true
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X POST \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2022-05-24T15:34:10.929Z",
"operationType": "CREATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To set deletion protection during instance creation, specify true in the deletionProtection field.
Before using any of the request data, make the following replacements:
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances
Request JSON body:
{
"name": "instance-id",
"region": "region",
"databaseVersion": "database-version",
"settings": {
"tier": "machine-type",
"deletionProtectionEnabled": true
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X POST \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2022-05-26T15:37:10.929Z",
"operationType": "CREATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
To see how the
underlying REST API requestis constructed for this task, see the
APIs Explorer on the instances:insert page.
Setting or removing deletion protection on an existing instanceThe following are the ways to edit an instance for deletion protection. If you enable the option, a subsequent attempt to delete the instance fails.
ConsoleTo enable deletion protection when you update an instance, use a command similar to the following:
gcloud sql instances patch [INSTANCE_NAME] \
--deletion-protection
To disable deletion protection when you update an instance, use a command similar to the following:
gcloud sql instances patch [INSTANCE_NAME] \
--no-deletion-protection REST v1
To set deletion protection when you update an instance, specify true in the deletionProtection field. To remove deletion protection, specify false in that field.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id
Request JSON body:
{
"settings": {
"deletionProtectionEnabled": true
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2022-06-1T03:42:12.281Z",
"operationType": "CREATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To set deletion protection when you update an instance, specify true in the deletionProtection field. To remove deletion protection, specify false in that field.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PATCH https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id
Request JSON body:
{
"settings": {
"deletionProtectionEnabled": true
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2022-06-1T03:32:12.281Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
To see how the
underlying REST API requestis constructed for this task, see the
APIs Explorer on the instances:patch page.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4