Stay organized with collections Save and categorize content based on your preferences.
This page describes how built-in authentication works on Cloud SQL instances and how database administrators can set password policies for local database users.
IntroductionAuthentication is the process of verifying the identity of a user who is attempting to access an instance. Cloud SQL uses the following types of authentication for database users:
Although IAM database authentication is more secure and reliable, you might prefer to use built-in authentication or a hybrid authentication model that includes both authentication types.
You might create and manage local database users locally within a database to allow specific persons or applications to access a database. Such database users own the objects they create in the database. Cloud SQL offers strong built-in password enforcement. You can define and enable such enforcement through password policies.
Note: Password policies don't apply to hashed passwords. Instance password policiesYou can set a password policy at the instance level when you create an instance.
A password policy for an instance can include the following options:
Supported only on Cloud SQL for MySQL 8.0 and later.
You need to explicitly enable a password policy at the instance level. You can modify it later by editing the instance.
Note: When you enable a password policy, due to password policy verification, statements that create users or change user passwords cause additional latency usually spanning less than 150ms. User password policiesWhile creating a user, you can set the following password usage restrictions:
You can also modify user password policies.
The status of a user, indicating whether their password has expired or they're locked out, is visible when you list the users of the instance. You can unlock users and change the password from the Users page.
Cloud SQL built-in authentication for read replicasYou manage password policies for replicas on the primary instance. You can't separately modify password policies for read replicas.
When you promote an instance, you need to re-enable the instance password policy, along with the policy options.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4