MCP Tools Reference: cloud-sql

Tool: list_users

List all database users for a Cloud SQL instance.

The following sample demonstrate how to use curl to invoke the list_users MCP tool.

Curl Request 
                  
curl --location 'https://sqladmin.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_users",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

SqlUsersListRequest

JSON representation 
{
  "instance": string,
  "project": string
}
Fields
instance

string

Database instance ID. This does not include the project ID.
project

string

Project ID of the project that contains the instance.

Output Schema

User list response.

UsersListResponse

JSON representation 
{
  "kind": string,
  "items": [
    {
      object (User)
    }
  ],
  "nextPageToken": string
}
Fields
kind

string

This is always sql#usersList.
items[]

object (User)

List of user resources in the instance.
nextPageToken
(deprecated)

string

Unused.

User

JSON representation 
{
  "kind": string,
  "password": string,
  "etag": string,
  "name": string,
  "host": string,
  "instance": string,
  "project": string,
  "type": enum (SqlUserType),
  "iamEmail": string,
  "passwordPolicy": {
    object (UserPasswordValidationPolicy)
  },
  "databaseRoles": [
    string
  ],

  // Union field user_details can be only one of the following:
  "sqlserverUserDetails": {
    object (SqlServerUserDetails)
  }
  // End of list of possible types for union field user_details.

  // Union field _dual_password_type can be only one of the following:
  "dualPasswordType": enum (DualPasswordType)
  // End of list of possible types for union field _dual_password_type.

  // Union field _iam_status can be only one of the following:
  "iamStatus": enum (IamStatus)
  // End of list of possible types for union field _iam_status.
}
Fields
kind

string

This is always sql#user.
password

string

The password for the user.
etag

string

This field is deprecated and will be removed from a future version of the API.
name

string

The name of the user in the Cloud SQL instance. Can be omitted for update because it is already specified in the URL.
host

string

Optional. The host from which the user can connect. For insert operations, host defaults to an empty string. For update operations, host is specified as part of the request URL. The host name cannot be updated after insertion. For a MySQL instance, it's required; for a PostgreSQL or SQL Server instance, it's optional.
instance

string

The name of the Cloud SQL instance. This does not include the project ID. Can be omitted for update because it is already specified on the URL.
project

string

The project ID of the project containing the Cloud SQL database. The Google apps domain is prefixed if applicable. Can be omitted for update because it is already specified on the URL.
type

enum (SqlUserType)

The user type. It determines the method to authenticate the user during login. The default is the database's built-in user type.
iamEmail

string

Optional. The full email for an IAM user. For normal database users, this will not be filled. Only applicable to MySQL database users.
passwordPolicy

object (UserPasswordValidationPolicy)

User level password validation policy.
databaseRoles[]

string

Optional. Role memberships of the user
Union field user_details. User details for specific database type user_details can be only one of the following:
sqlserverUserDetails

object (SqlServerUserDetails)

Union field _dual_password_type.

_dual_password_type can be only one of the following:
dualPasswordType

enum (DualPasswordType)

Dual password status for the user.

Union field _iam_status.

_iam_status can be only one of the following:
iamStatus

enum (IamStatus)

Indicates if a group is active or inactive for IAM database authentication.

SqlServerUserDetails

JSON representation 
{
  "disabled": boolean,
  "serverRoles": [
    string
  ]
}
Fields
disabled

boolean

If the user has been disabled
serverRoles[]

string

The server roles for this user

UserPasswordValidationPolicy

JSON representation 
{
  "allowedFailedAttempts": integer,
  "passwordExpirationDuration": string,
  "enableFailedAttemptsCheck": boolean,
  "status": {
    object (PasswordStatus)
  },
  "enablePasswordVerification": boolean
}
Fields
allowedFailedAttempts

integer

Number of failed login attempts allowed before user get locked.
passwordExpirationDuration

string (Duration format)

Expiration duration after password is updated.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
enableFailedAttemptsCheck

boolean

If true, failed login attempts check will be enabled.
status

object (PasswordStatus)

Output only. Read-only password status.
enablePasswordVerification

boolean

If true, the user must specify the current password before changing the password. This flag is supported only for MySQL.

Duration

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years
nanos

integer

Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 seconds field and a positive or negative nanos field. For durations of one second or more, a non-zero value for the nanos field must be of the same sign as the seconds field. Must be from -999,999,999 to +999,999,999 inclusive.

PasswordStatus

JSON representation 
{
  "locked": boolean,
  "passwordExpirationTime": string
}
Fields
locked

boolean

If true, user does not have login privileges.
passwordExpirationTime

string (Timestamp format)

The expiration time of the current password.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌