Stay organized with collections Save and categorize content based on your preferences.
This page describes how to enable and use Cloud SQL built-in authentication.
For an overview, see
Cloud SQL built-in database authentication.
Before creating usersIf you plan to use your database's administrative client to manage users, then do the following:
Connect the client to your instance. See Connection options for external applications.
Configure the default user on the instance by setting the password. See Set the password for the default user account.
When you create a new Cloud SQL instance, you must set a password for the default user account before you can connect to the instance.
For Cloud SQL for MySQL, the default user is
root@%
This signifies a database user with a username of
root
which can connect from any host (
@%
).
ConsoleIn the Google Cloud console, go to the Cloud SQL Instances page.
root user and then select Change password from the more actions menu .
Consider the listed stipulations for the password, which are derived from the password policy set for the instance.
Use the gcloud sql users set-password command as follows to set the password for the default user.
Replace INSTANCE_NAME with the name of the instance before running the command.
gcloud sql users set-password root \ --host=% \ --instance=INSTANCE_NAME \ --prompt-for-passwordREST v1
To update the password for the default user account, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25
Request JSON body:
{
"name": "root",
"password": "password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=root&host=%25" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To update the password for the default user account, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25
Request JSON body:
{
"name": "root",
"password": "password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=root&host=%25" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
Create a user
After setting up the default user account, you can create other users.
Note: Cloud SQL for MySQL 8.0 usesmysql_native_password as the default authentication plugin for new users instead of caching_sha2_password. . However, Cloud SQL for MySQL 8.4 uses caching_sha2_password for the default authentication plugin for new users. For more information, see MySQL authentication. Console
In the Google Cloud console, go to the Cloud SQL Instances page.
In the Add a user account to instance instance_name page, you can choose whether the user authenticates with the built-in database method (username and password) or as an IAM user.
Users created on instances using MySQL 8.0 or later and Cloud SQL's authentication method are granted the cloudsqlsuperuser role automatically and have the following privileges associated with this role: CREATEROLE, CREATEDB, and LOGIN.
Users created on instances using MySQL 5.7 and Cloud SQL's authentication method are granted all privileges except for FILE and SUPER automatically. If you need to change the privileges for these users, then use the GRANT or REVOKE command in the mysql client.
For more information about these user accounts and privileges, see Other MySQL user accounts.
gcloudTo create a user, use the gcloud sql users create command.
Replace the following:
%).gcloud sql users create USER_NAME \ --host=HOST \ --instance=INSTANCE_NAME \ --password=PASSWORD
Users created on instances using MySQL 8.0 or later and Cloud SQL's authentication method are granted the cloudsqlsuperuser role automatically and have the following privileges associated with this role: CREATEROLE, CREATEDB, and LOGIN.
Users created on instances using MySQL 5.7 and Cloud SQL's authentication method are granted all privileges except for FILE and SUPER automatically. If you need to change the privileges for these users, then use the GRANT or REVOKE command in the mysql client.
For more information about these user accounts and privileges, see Other MySQL user accounts.
User name length limits are the same for Cloud SQL as for on-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters for earlier versions.
When you create a user, you can add user password policy parameters.
Note: If you use thegcloud sql users create command to create a user, Cloud SQL doesn't check to see if the user exists. If a user with the same name exists, the command overwrites the user. Terraform
To create a user, use a Terraform resource.
Apply the changesTo apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud ShellSet the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Each Terraform configuration file must have its own directory (also called a root module).
.tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created main.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
terraform init
Optionally, to use the latest Google provider version, include the -upgrade option:
terraform init -upgrade
terraform plan
Make corrections to the configuration as necessary.
yes at the prompt:
terraform apply
Wait until Terraform displays the "Apply complete!" message.
To delete your changes, do the following:
deletion_protection argument to false.
deletion_protection = "false"
yes at the prompt:
terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering yes at the prompt:
terraform destroy
To create a user, use a POST request with the users:insert method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X POST \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:44:16.656Z",
"startTime": "2020-02-07T22:44:16.686Z",
"endTime": "2020-02-07T22:44:20.437Z",
"operationType": "CREATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
Users created on instances using MySQL 8.0 or later and Cloud SQL's authentication method are granted the cloudsqlsuperuser role automatically and have the following privileges associated with this role: CREATEROLE, CREATEDB, and LOGIN.
Users created on instances using MySQL 5.7 and Cloud SQL's authentication method are granted all privileges except for FILE and SUPER automatically. If you need to change the privileges for these users, then use the GRANT or REVOKE command in the mysql client.
For more information about these user accounts and privileges, see Other MySQL user accounts.
User name length limits are the same for Cloud SQL as for on-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters for earlier versions.
When you create a user, you can add user password policy parameters.
REST v1beta4To create a user, use a POST request with the users:insert method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X POST \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:44:16.656Z",
"startTime": "2020-02-07T22:44:16.686Z",
"endTime": "2020-02-07T22:44:20.437Z",
"operationType": "CREATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
Users created on instances using MySQL 8.0 or later and Cloud SQL's authentication method are granted the cloudsqlsuperuser role automatically and have the following privileges associated with this role: CREATEROLE, CREATEDB, and LOGIN.
Users created on instances using MySQL 5.7 and Cloud SQL's authentication method are granted all privileges except for FILE and SUPER automatically. If you need to change the privileges for these users, then use the GRANT or REVOKE command in the mysql client.
For more information about these user accounts and privileges, see Other MySQL user accounts.
User name length limits are the same for Cloud SQL as for on-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters for earlier versions.
When you create a user, you can add user password policy parameters.
mysql Clientmysql prompt, use the following CREATE USER statement:
CREATE USER 'USER_NAME'@'%'
IDENTIFIED BY 'PASSWORD';
Optionally, add the user password policy parameters.
SELECT user, host FROM mysql.user;For a Second Generation instance, the output looks similar to this example:
+----------+-----------+ | user | host | +----------+-----------+ | root | % | | newuser | % | +----------+-----------+ 1 row in set (0.01 sec)
GRANT statement. For more information, see Privileges Provided by MySQL.mysql.user table to ensure that the change persists:
FLUSH TABLES mysql.user;
You can set a password policy with the built-in authentication type.
Note: Password policies don't apply to encrypted passwords. ConsoleIn the Google Cloud console, go to the Cloud SQL Instances page.
Supported only on Cloud SQL for MySQL 8.0 and later.
To set the user password policy, use the gcloud sql users set-password-policy command.
Use the --password-policy-enable-password-verification to make it mandatory for users to enter their existing password when attempting to change the password. To disable this parameter, use --no-password-policy-enable-password-verification.
Replace the following:
%).--password-policy-enable-failed-attempts-check to enable and --no-password-policy-enable-failed-attempts-check to disable the check.--password-policy-password-expiration-duration option is also supported on Cloud SQL for MySQL 5.7.
gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --password-policy-enable-failed-attempts-check \ --password-policy-allowed-failed-attempts=PASSWORD_POLICY_ALLOWED_FAILED_ATTEMPTS \ --password-policy-password-expiration-duration=PASSWORD_POLICY_PASSWORD_EXPIRATION_DURATION \ --password-policy-enable-password-verification
To remove a user password policy, use the --clear-password-policy parameter.
gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --clear-password-policy
To view the user password policy, see List users.
REST v1To set a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
true to enable a check for the number of failed attempts to log in after which the account is lockedtrue to make it mandatory for users to enter their existing password when attempting to change the passwordpasswordExpirationDuration option is also supported on Cloud SQL for MySQL 5.7.
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",
"allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",
"passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION",
"enablePasswordVerification" : "VERIFY_PASSWORD"
}
},
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2021-11-02T19:12:08.132Z",
"startTime": "2021-11-02T19:12:08.132Z",
"endTime": "2021-11-02T19:12:09.125Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
To view the user password policy, see List users.
REST v1beta4To set a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
true to enable a check for the number of failed attempts to log in after which the account is lockedtrue to make it mandatory for users to enter their existing password when attempting to change the passwordpasswordExpirationDuration option is also supported on Cloud SQL for MySQL 5.7.
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",
"allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",
"passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION",
"enablePasswordVerification" : "VERIFY_PASSWORD"
}
},
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2021-11-02T19:12:08.132Z",
"startTime": "2021-11-02T19:12:08.132Z",
"endTime": "2021-11-02T19:12:09.125Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
To view the user password policy, see List users.
mysql ClientTo set a user password policy, at the mysql prompt, use the following ALTER USER statement:
ALTER USER USER_NAME
FAILED_LOGIN_ATTEMPTS ALLOWED_FAILED_ATTEMPTS
PASSWORD EXPIRE INTERVAL PASSWORD_EXPIRATION_DURATION DAY
PASSWORD REQUIRE CURRENT;
Replace the following:
Use the PASSWORD REQUIRE CURRENT option to make it mandatory for users to enter their existing password when attempting to change the password.
PASSWORD EXPIRE INTERVAL option is also supported on Cloud SQL for MySQL 5.7.
To view the user password policy, see List users.
List users ConsoleIn the Google Cloud console, go to the Cloud SQL Instances page.
The list shows the User name, Host name, and Authentication type for each user.
Additionally, for the built-in authentication type, the Password status is also indicated.
Use the gcloud sql users list command to list the users for this instance:
gcloud sql users list \ --instance=INSTANCE_NAME
The command returns the Name, Host, and authentication Type for each user.
Additionally, for the built-in authentication type, the password policy settings and status are returned. For example:
NAME HOST TYPE PASSWORD_POLICY
user1 BUILT_IN {'allowedFailedAttempts': 2,
'enableFailedAttemptsCheck': True,
'passwordExpirationDuration': '7d',
'status': {
'locked': True,
'passwordExpirationTime': '2022-07-01T19:53:45.822742904Z'
}
}
REST v1
To list the users defined for an instance, use a GET request with the users:list method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Execute the following command:
curl -X GET \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#usersList",
"items": [
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "sqlserver",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-1",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-2",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
...
},
{
...
}
]
}
If a user password policy was set, the items section of the response includes a passwordPolicy section. The following code sample shows the passwordPolicy section.
{
...
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : true,
"allowedFailedAttempts" : 8,
"passwordExpirationDuration" : "7d",
"enablePasswordVerification" : true
}
},
...
}
REST v1beta4
To list the users defined for an instance, use a GET request with the users:list method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Execute the following command:
curl -X GET \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#usersList",
"items": [
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "sqlserver",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-1",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-2",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
...
},
{
...
}
]
}
If a user password policy was set, the items section of the response includes a passwordPolicy section. The following code sample shows the passwordPolicy section.
{
...
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : true,
"allowedFailedAttempts" : 8,
"passwordExpirationDuration" : "7d",
"enablePasswordVerification" : true
}
},
...
}
mysql Client
To list MySQL users, at the mysql prompt, use the following SELECT statement:
SELECT user, host FROM mysql.user;
For a Second Generation instance with only the root user account configured, the output looks similar to this example:
+------+-----------+ | user | host | +------+-----------+ | root | % | +------+-----------+ 1 row in set (0.01 sec)
This example shows the users for an instance with the root user. This user can connect from any host (%). The password field shows the hash of the password.
gcloud to display system users. Change a user password
User passwords can be changed in one of the following ways.
ConsoleIn the Google Cloud console, go to the Cloud SQL Instances page.
Additionally, if you want to continue to use your older password, select the Retain current password checkbox.
Use the gcloud sql users set-password command to change a password.
Replace the following:
%).Optionally, for MySQL 8.0 and later, you can continue to allow the user to use the older password with the --retain-password option. To discard the older password, use the --discard-dual-password option.
gcloud sql users set-password USER_NAME \ --host=HOST \ --instance=INSTANCE_NAME \ --password=PASSWORDREST v1
To change a user password, use a PUT request with the users:update method.
The following request updates the password for the user account user_name'@'%. If your user has a different host, you must modify the call with the correct host.
Before using any of the request data, make the following replacements:
DUAL_PASSWORD: The user can continue to use the older password.NO_DUAL_PASSWORD: The user cannot use the older password.NO_MODIFY_DUAL_PASSWORD: The dual password status stays unchanged.HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password",
"retainedPassword" : "dual-password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To change a user password, use a PUT request with the users:update method.
The following request updates the password for the user account user_name'@'%. If your user has a different host, you must modify the call with the correct host.
Before using any of the request data, make the following replacements:
DUAL_PASSWORD: The user can continue to use the older password.NO_DUAL_PASSWORD: The user cannot use the older password.NO_MODIFY_DUAL_PASSWORD: The dual password status stays unchanged.HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password",
"retainedPassword" : "dual-password"
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
mysql Client
mysql prompt, use the following SET PASSWORD statement:
SET PASSWORD FOR USER_NAME = PASSWORD('auth_string');mysql.user table to ensure that the change persists:
FLUSH TABLES mysql.user;
If a user is locked out due to password policy settings, change the password to unlock them. Ensure that passwords, when changed, adhere to the password policy.
Remove a user password policyYou can remove a password policy from a user that has the built-in authentication type.
gcloudTo remove the user password policy, use the gcloud sql users set-password-policy command and the --clear-password-policy parameter.
Replace the following:
%)gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --clear-password-policyREST v1
To remove a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {}
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2021-11-02T19:12:08.132Z",
"startTime": "2021-11-02T19:12:08.132Z",
"endTime": "2021-11-02T19:12:09.125Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
REST v1beta4
To remove a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {}
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X PUT \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method PUT `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2021-11-02T19:12:08.132Z",
"startTime": "2021-11-02T19:12:08.132Z",
"endTime": "2021-11-02T19:12:09.125Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
Remove a user
The default user can remove users.
The methods described in this section do not allow you to remove an anonymous user from your Cloud SQL instance. MySQL includes an anonymous user that allows anyone to connect to the MySQL server without a user account. If you want to remove an anonymous user, connect to your Cloud SQL instance and remove the user manually. For more information about removing anonymous users, refer to the MySQL official documentation.Before removing a user, you must drop all the objects it owns or reassign their ownership, and revoke any privileges the role has been granted on other objects.
ConsoleIn the Google Cloud console, go to the Cloud SQL Instances page.
Use the gcloud sql users delete command to remove a user.
Replace the following:
%).gcloud sql users delete USER_NAME \ --host=HOST \ --instance=INSTANCE_NAMEREST v1
The request below uses the users:delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Execute the following command:
curl -X DELETE \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "DELETE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
REST v1beta4
The request below uses the users:delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Execute the following command:
curl -X DELETE \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "DELETE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
mysql Client
mysql prompt, use the following DROP USER statement:
DROP USER 'USER_NAME'@'HOST_NAME';
mysql.user table to ensure that the change persists:
FLUSH TABLES mysql.user;
To update user properties such as host or privileges, you must use the
mysql
client. For more information, see
MySQL User Account Managementin the MySQL documentation.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4