This page describes how to enable and use Cloud SQL built-in authentication.
For an overview, see Cloud SQL built-in database authentication.Before creating users
- Create a Cloud SQL instance. For more information, see Create instances.
- Enable password policies for the instance. For more information, see Instance password policies.
If you plan to use your database's administrative client to manage users, then do the following:
Connect the client to your instance. See Connection options for external applications.
Configure the default user on the instance by setting the password. See Set the password for the default user account.
Set the password for the default user account
When you create a new Cloud SQL instance, you must set a password for the default user account before you can connect to the instance.
For Cloud SQL for PostgreSQL, the default user ispostgres.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
- Find the
postgresuser and select Change password from the more actions menu
.
- Provide a strong password that you can remember and click OK.
gcloud
Use the
gcloud sql users set-password command as follows to set the password for the default user.
Replace INSTANCE_NAME with the name of the instance before running the command.
gcloud sql users set-password postgres \ --instance=INSTANCE_NAME \ --prompt-for-password
REST v1
To update the password for the default user account, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
- user-id: The ID of the user
- password: The password for the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To update the password for the default user account, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
- user-id: The ID of the user
- password: The password for the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
Create a user
After setting up the default user account, you can create other users.
When you create a built-in user, you can assign the user with one or more database roles.
To assign a custom database role to a user, you must create the role in the PostgreSQL database first. To create a role in PostgreSQL, see Database roles.Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
- Click Add user account.
In the Add a user account to instance instance_name page, you can choose whether the user authenticates with the built-in database method (username and password) or as an IAM user.
- Select Built-in authentication (the default) and add the
following information:
- A User name.
- Optional. A Password. Provide a strong password that you can remember.
- Click Add.
If you create a PostgreSQL user that uses built-in authentication, then the user is granted
the cloudsqlsuperuser role automatically. The user is provided with the
following privileges associated with this role: CREATEROLE,
CREATEDB, and LOGIN.
If you want to change the privileges for the user, then you can create and
assign one or more custom PostgreSQL database roles
when you create the user in Cloud SQL. If you assign one or more custom database roles when
you create the user in Cloud SQL, then the user isn't granted the
cloudsqlsuperuser role.
If you need to change the attributes for these users, then use the
ALTER ROLE
command in the psql client. Not all attributes can be
modified with ALTER ROLE. Exceptions include the
NOSUPERUSER and NOREPLICATION roles.
For more information about these user accounts and privileges, see Other PostgreSQL user accounts.
gcloud
To create a user, use the
gcloud sql users create command.
Replace the following:
- USER_NAME: the user name.
- INSTANCE_NAME: the name of the instance.
- PASSWORD: the password for the user.
- ROLE_1, ROLE_2 ..., ROLE_N: optional. The database role or roles to assign to the user.
gcloud sql users create USER_NAME \ --instance=INSTANCE_NAME \ --password=PASSWORD \ --database-roles=ROLE_1, ROLE_2, ..., ROLE_N
If you create a PostgreSQL user that uses built-in authentication, then the user is granted
the cloudsqlsuperuser role automatically. The user is provided with the
following privileges associated with this role: CREATEROLE,
CREATEDB, and LOGIN.
If you want to change the privileges for the user, then you can create and
assign one or more custom PostgreSQL database roles
when you create the user in Cloud SQL. If you assign one or more custom database roles when
you create the user in Cloud SQL, then the user isn't granted the
cloudsqlsuperuser role.
If you need to change the attributes for these users, then use the
ALTER ROLE
command in the psql client. Not all attributes can be
modified with ALTER ROLE. Exceptions include the
NOSUPERUSER and NOREPLICATION roles.
For more information about these user accounts and privileges, see Other PostgreSQL user accounts.
Username length limits are the same for Cloud SQL as for on-premises PostgreSQL.
When you create a user, you can add user password policy parameters.
Terraform
To create a user, use a Terraform resource.
Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
-
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
-
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdir DIRECTORY && cd DIRECTORY && touch main.tf
-
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
-
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
-
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
-
Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and
entering
yesat the prompt:terraform apply
-
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
REST v1
To create a user, use a POST request with the users:insert method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password for the user
- ROLE_1, ROLE_2 ..., ROLE_N: optional. The database role or roles to assign to the user
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
]
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "CREATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
If you create a PostgreSQL user that uses built-in authentication, then the user is granted
the cloudsqlsuperuser role automatically. The user is provided with the
following privileges associated with this role: CREATEROLE,
CREATEDB, and LOGIN.
If you want to change the privileges for the user, then you can create and
assign one or more custom PostgreSQL database roles
when you create the user in Cloud SQL. If you assign one or more custom database roles when
you create the user in Cloud SQL, then the user isn't granted the
cloudsqlsuperuser role.
If you need to change the attributes for these users, then use the
ALTER ROLE
command in the psql client. Not all attributes can be
modified with ALTER ROLE. Exceptions include the
NOSUPERUSER and NOREPLICATION roles.
For more information about these user accounts and privileges, see Other PostgreSQL user accounts.
Username length limits are the same for Cloud SQL as for on-premises PostgreSQL.
When you create a user, you can add user password policy parameters.
REST v1beta4
To create a user, use a POST request with the users:insert method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password for the user
- ROLE_1, ROLE_2 ..., ROLE_N: optional. The database role or roles to assign to the user
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
]
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "CREATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
If you create a PostgreSQL user that uses built-in authentication, then the user is granted
the cloudsqlsuperuser role automatically. The user is provided with the
following privileges associated with this role: CREATEROLE,
CREATEDB, and LOGIN.
If you want to change the privileges for the user, then you can create and
assign one or more custom PostgreSQL database roles
when you create the user in Cloud SQL. If you assign one or more custom database roles when
you create the user in Cloud SQL, then the user isn't granted the
cloudsqlsuperuser role.
If you need to change the attributes for these users, then use the
ALTER ROLE
command in the psql client. Not all attributes can be
modified with ALTER ROLE. Exceptions include the
NOSUPERUSER and NOREPLICATION roles.
For more information about these user accounts and privileges, see Other PostgreSQL user accounts.
Username length limits are the same for Cloud SQL as for on-premises PostgreSQL.
When you create a user, you can add user password policy parameters.
psql Client
- At the
psqlprompt, create the user:CREATE USER USER_NAME WITH PASSWORD PASSWORD ATTRIBUTE1 ATTRIBUTE2...;
Enter the password when prompted.
For more information about role attributes, see the PostgreSQL documentation.
- You can confirm the user creation by displaying the user table:
SELECT * FROM pg_roles;
Set a user password policy
You can set a password policy with the built-in authentication type.
gcloud
To set the user password policy, use the
gcloud sql users set-password-policy command.
Replace the following:
- USER_NAME: The user name.
- INSTANCE_NAME: The name of the instance.
- HOST: The user's host name as a specific IP address, address
range, or any host (
%). - PASSWORD_POLICY_ALLOWED_FAILED_ATTEMPTS: Optional: The number of
times that a user can try the password incorrectly before the account is
locked. Use
--password-policy-enable-failed-attempts-checkto enable and--no-password-policy-enable-failed-attempts-checkto disable the check. - PASSWORD_POLICY_PASSWORD_EXPIRATION_DURATION: Optional: Specifies the number of days after which the password expires and the user needs to create a new one.
gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --password-policy-enable-failed-attempts-check \ --password-policy-allowed-failed-attempts=PASSWORD_POLICY_ALLOWED_FAILED_ATTEMPTS \ --password-policy-password-expiration-duration=PASSWORD_POLICY_PASSWORD_EXPIRATION_DURATION
To remove a user password policy, use the --clear-password-policy parameter.
gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --clear-password-policy
To view the user password policy, see List users.
REST v1
To set a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password of the user
- FAILED_ATTEMPTS_CHECK: set to
trueto enable a check for the number of failed attempts to log in after which the account is locked - NUMBER_OF_ATTEMPTS: the number of failed attempts to log in after which the account is locked
- PASSWORD_EXPIRATION_DURATION: the number of days after which the password expires and the user needs to create a new one
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",
"allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",
"passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION"
}
},
}
}To send your request, expand one of these options:
You should receive a JSON response similar to the following:
To view the user password policy, see List users.
REST v1beta4
To set a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password of the user
- FAILED_ATTEMPTS_CHECK: set to
trueto enable a check for the number of failed attempts to log in after which the account is locked - NUMBER_OF_ATTEMPTS: the number of failed attempts to log in after which the account is locked
- PASSWORD_EXPIRATION_DURATION: the number of days after which the password expires and the user needs to create a new one
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : "FAILED_ATTEMPTS_CHECK",
"allowedFailedAttempts" : "NUMBER_OF_ATTEMPTS",
"passwordExpirationDuration" : "PASSWORD_EXPIRATION_DURATION"
}
},
}
}To send your request, expand one of these options:
You should receive a JSON response similar to the following:
To view the user password policy, see List users.
List users
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
gcloud
Use the gcloud sql users list command to list the users for this instance:
gcloud sql users list \ --instance=INSTANCE_NAME
The command returns the Name, Host, and
authentication Type for each user.
Additionally, for the built-in authentication type, the password policy settings and status are returned. For example:
NAME HOST TYPE PASSWORD_POLICY
user1 BUILT_IN {'allowedFailedAttempts': 2,
'enableFailedAttemptsCheck': True,
'passwordExpirationDuration': '7d',
'status': {
'locked': True,
'passwordExpirationTime': '2022-07-01T19:53:45.822742904Z'
}
}
REST v1
To list the users defined for an instance, use a GET request with the users:list method.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#usersList",
"items": [
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "sqlserver",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-1",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-2",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
...
},
{
...
}
]
}
If a user password policy
was set, the items section of the response includes a passwordPolicy
section. The following code sample shows the passwordPolicy section.
{
...
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : true,
"allowedFailedAttempts" : 8,
"passwordExpirationDuration" : "7d"
}
},
...
}
REST v1beta4
To list the users defined for an instance, use a GET request with the users:list method.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#usersList",
"items": [
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "sqlserver",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-1",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
"kind": "sql#user",
"etag": "--redacted--",
"name": "user-id-2",
"host": "",
"instance": "instance-id",
"project": "project-id",
"sqlserverUserDetails": {
"serverRoles": [
"CustomerDbRootRole"
]
}
},
{
...
},
{
...
}
]
}
If a user password policy
was set, the items section of the response includes a passwordPolicy
section. The following code sample shows the passwordPolicy section.
{
...
"passwordValidationUserPolicy" : {
{
"enableFailedAttemptsCheck" : true,
"allowedFailedAttempts" : 8,
"passwordExpirationDuration" : "7d"
}
},
...
}
psql Client
At the psql prompt, list the PostgreSQL users:
SELECT * FROM pg_roles;
Add database roles to an existing user
After you create a built-in user, you can assign additional roles to the user. These roles are added to their existing roles and don't replace the existing set of roles assigned to user account.
Before you can assign a role to a user in Cloud SQL for PostgreSQL, the role must already exist. If you're using a custom role, then you must create the role in the PostgreSQL database first.To create a role in PostgreSQL, see Database roles.
You can't assign any of the predefined system roles listed in
Cloud SQL system roles and users
to existing PostgreSQL users, except for the cloudsqlsuperuser.
gcloud
To assign roles to a user, use the
gcloud sql users assign-roles command.
gcloud sql users assign-roles USER_NAME \ --instance=INSTANCE_NAME \ --type=BUILT-IN \ --database-roles=ROLE_1, ROLE_2, ..., ROLE_N
Replace the following:
- USER_NAME: the username.
- INSTANCE_NAME: the name of the instance.
- ROLE_1, ROLE_2, ..., ROLE_N: the database role or roles to assign to the user.
REST v1
To update a user, use a PUT request with the users:update method.
When you assign database roles, you can update user password policy parameters.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the desired instance ID
- USER_ID: the ID of the user
- ROLE_1, ROLE_2 ..., ROLE_N: the database role or roles to assign to the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"type": "BUILT-IN",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
]
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
REST v1beta4
To update a user, use a PUT request with the users:update method.
When you assign database roles, you can update user password policy parameters.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the desired instance ID
- USER_ID: the ID of the user
- ROLE_1, ROLE_2, ..., ROLE_N: the database role or roles to assign to the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"type": "BUILT-IN",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
]
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
Replace database roles for an existing user
If you want to replace or remove database roles from the user, you must revoke all of their existing roles while specifying new database roles, if any.
By default, when you create a built-in PostgreSQL user, the user is
granted the cloudsqlsuperuser role automatically. If you don't want a user
to keep the cloudsqlsuperuser role, then revoke the existing roles of the user.
gcloud
To replace the database roles for a user, you revoke the existing roles
for the user and assign new roles. To replace database roles for a user,
use the following
gcloud sql users assign-roles command.
gcloud sql users assign-roles USER_NAME \ --instance=INSTANCE_NAME \ --database-roles=ROLE_1,ROLE_2 \ --revoke-existing-roles
Replace the following:
- USER_NAME: the username.
- HOST: the user's host name as a specific IP address, address
range, or any host (
%). - INSTANCE_NAME: the name of the instance.
- ROLE_1, ROLE_2: the new database role or roles to assign to the user.
You can also revoke the existing roles for a user and assign zero roles. For example:
gcloud sql users assign-roles USER_NAME \ --instance=INSTANCE_NAME \ --database-roles= \ --revoke-existing-roles
REST v1
To update a user, use a PUT request with the users:update method.
When you replace a user's database roles, you can update user password policy parameters in the same API request.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the desired instance ID
- USER_ID: the ID of the user
- ROLE_1, ROLE_2 ..., ROLE_N: the new database role or roles to assign to the user. You can also specify an empty list.
HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"type": "BUILT-IN",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
],
"revokeExistingRoles": true
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
REST v1beta4
To update a user, use a PUT request with the users:update method.
When you replace a user's database roles, you can update user password policy parameters in the same API request.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the desired instance ID
- USER_ID: the ID of the user
- ROLE_1, ROLE_2, ..., ROLE_N: the new database role or roles to assign to the user. You can also specify an empty list.
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users
Request JSON body:
{
"name": "USER_ID",
"type": "BUILT-IN",
"databaseRoles": [
"ROLE_1",
"ROLE_2"
],
"revokeExistingRoles": true
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2025-10-20T22:44:16.656Z",
"startTime": "2025-10-20T22:44:16.686Z",
"endTime": "2025-10-20T22:44:20.437Z",
"operationType": "UPDATE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
Change a user password
User passwords can be changed in one of the following ways.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
- Click more actions for the user you want to update.
- Select Change password.
- Specify a new password.
- Click OK.
gcloud
Use the
gcloud sql users set-password command to change a password.
Replace the following:
- USER_NAME: The user name.
- INSTANCE_NAME: The name of the instance.
gcloud sql users set-password USER_NAME \ --instance=INSTANCE_NAME \ --prompt-for-password
REST v1
To change a user password, use a PUT request with the users:update method.
The following request updates the password for the user account
user_name.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
- user-id: The ID of the user
- password: The new password for the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
To change a user password, use a PUT request with the users:update method.
The following request updates the password for the user account
user_name.
Before using any of the request data, make the following replacements:
- project-id: Your project ID
- instance-id: The desired instance ID
- user-id: The ID of the user
- password: The new password for the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/users?name=user-id
Request JSON body:
{
"name": "user-id",
"password": "password"
}
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "UPDATE_USER",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
psql Client
At thepsql prompt, run the ALTER USER command.
- Unlock the user.
ALTER USER USER_NAME WITH LOGIN;
- Change the password and enter the password when prompted.
ALTER USER USER_NAME WITH PASSWORD PASSWORD;
If a user is locked out due to password policy settings, change the password to unlock them. Ensure that passwords, when changed, adhere to the password policy.
Remove a user password policy
You can remove a password policy from a user that has the built-in authentication type.
gcloud
To remove the user password policy, use the
gcloud sql users set-password-policy command and the --clear-password-policy parameter.
Replace the following:
- USER_NAME: the user name
- INSTANCE_NAME: the name of the instance
- HOST: the user's host name as a specific IP address, address
range, or any host (
%)
gcloud sql users set-password-policy USER_NAME \ --instance=INSTANCE_NAME \ --host=HOST \ --clear-password-policy
REST v1
To remove a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password of the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {}
}
}To send your request, expand one of these options:
You should receive a JSON response similar to the following:
REST v1beta4
To remove a user password policy, use a PUT request with the users:update method.
Before using any of the request data, make the following replacements:
- PROJECT_ID: your project ID
- INSTANCE_ID: the instance ID
- USER_ID: the ID of the user
- PASSWORD: the password of the user
HTTP method and URL:
PUT https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?name=USER_ID
Request JSON body:
{
"name": "USER_ID",
"password": "PASSWORD",
"data":
{
"passwordValidationUserPolicy" : {}
}
}To send your request, expand one of these options:
You should receive a JSON response similar to the following:
Remove a user
The default user can remove users.
Before removing a user, you must drop all the objects it owns or reassign their ownership, and revoke any privileges the role has been granted on other objects.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Users from the SQL navigation menu.
- Click more actions for the user you want
to remove.
- Select Remove and then select Remove again.
gcloud
Use the
gcloud sql users delete command to remove a user.
Replace the following:
- USER_NAME: The user name.
- INSTANCE_NAME: The name of the instance.
gcloud sql users delete USER_NAME \ --instance=INSTANCE_NAME
REST v1
The request below uses the users:delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your project ID
- INSTANCE_ID: The desired instance ID
- USERNAME: The email address for the user or service account
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "DELETE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
REST v1beta4
The request below uses the users:delete method to delete the specified user account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your project ID
- INSTANCE_ID: The desired instance ID
- USERNAME: The email address for the user or service account
HTTP method and URL:
DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/users?host=&name=USERNAME
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",
"status": "DONE",
"user": "user@example.com",
"insertTime": "2020-02-07T22:38:41.217Z",
"startTime": "2020-02-07T22:38:41.217Z",
"endTime": "2020-02-07T22:38:44.801Z",
"operationType": "DELETE_USER",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
psql Client
- At the
psqlprompt, delete the user:DROP ROLE USER_NAME;
For more information about the
DROP ROLEstatement, see the PostgreSQL documentation.
Update user properties
To update user properties such as attributes, you must use thepsql client.
For more information, see Database Roles in the
PostgreSQL documentation.
What's next
- Learn more about how Cloud SQL works with users.
- Read the PostgreSQL documentation about role creation.
- Learn about connecting to instances.