This page describes how Cloud SQL works with MySQL users. MySQL user accounts provide security by controlling access to MySQL databases.
For complete documentation about users in MySQL, see Access Control and Account Management in the MySQL documentation. For information about creating and managing Cloud SQL users in Cloud SQL, see Create and manage users.
Why you need MySQL user accounts
MySQL user accounts enable you to log in to and administer your Cloud SQL instance. User accounts are also required for applications to access your instance.
Superuser restrictions
In Cloud SQL, customers cannot create or access users with superuser attributes.
Because Cloud SQL for MySQL is a managed service, it restricts access to certain system procedures and tables.
Data Manipulation Language (DML) and Data Definition Language (DDL) privileges are restricted on some schema tables.
Here's the list of MySQL 5.6 system tables in the
mysql schema that require write permissions:
audit_log_rules_expanded
, audit_log_supported_ops
, audit_log_rules
,
cloudsql_replica_index
, db
, event
, func
, heartbeat
, plugin
, proc
,
user
, and tables_priv
.
For MySQL 5.7, here's the list:
audit_log_rules_expanded
, audit_log_supported_ops
, audit_log_rules
,
cloudsql_replica_index
, db
, event
, func
, gtid_executed
,
heartbeat
, plugin
, proc
, user
, and tables_priv
.
For related information about MySQL 8.0 and MySQL 8.4, see MySQL 8.0 user privileges (cloudsqlsuperuser) and MySQL 8.4 user privileges (cloudsqlsuperuser).
MySQL user account format
MySQL user accounts have two components: a username and a hostname. The username identifies the user, and the hostname specifies what hosts that user can connect from. The username and hostname are combined to create a user account:
'<user_name>'@'<host_name>'
You can specify a specific IP address or address range for hostname, or use the percent character ("%") to leave the hostname unrestricted. Note that if you connect to your instance using IP addresses, you must add your client IP address as an Authorized Address, even if your user's hostname is unrestricted.
User accounts are defined by both the username and the hostname. For
example, 'user'@'%'
is a different user account than
'user'@'localhost'
.
Default MySQL user
Upon creation, MySQL instances have one default user account:
'root'@'%'
. You use this account to connect to and manage the
database instance for the first time. The default user has all database
privileges except for
SUPER
and
FILE. In Cloud SQL, you
can't rename 'root'@'%'
.
The default for root'@'%
is no password, and MySQL does not require you to use
a password for root'@'%
. However, because root'@'%
exists on most MySQL
installations, the root'@'%
user is a common target for unauthorized access.
Any person or program that gains access to your instance has almost
unlimited access to, and control over, your instance and data. For this reason,
we recommend you configure your root'@'%
user with a strong password or delete
this user. For help with configuring the default user account, see
Configure the default user account.
System users
There are seven system users:
root@localhost
,[email protected]
,root@::1
Used to provide the managed database service.
cloudsqlreplica@%
Used as a replication user for replicas.
cloudsqlimport@localhost
,[email protected]
Used for data imports.
cloudsqlexport@localhost
,[email protected]
Used for data exports.
cloudsqloneshot
Used for other database operations.
cloudsqlapplier@localhost
Used for replication operations in external server replica or cross major version replication.
cloudsqlobservabilityadmin
Used for database observability.
cloudiamgroup@'%'
Used for the IAM group authentication.
You cannot delete or modify these users.
Other MySQL user accounts
You can also create other MySQL user accounts. This is a good practice because it lets you use different MySQL user accounts for different purposes.
You can create a user account with a restricted hostname, or use SQL commands to limit privileges on your user accounts.
For more information about user account names, see Specifying Account Names in the MySQL documentation. To create a new MySQL user in Cloud SQL, see Create a user.
MySQL 5.6 and 5.7 user privileges
MySQL provides fine-grained privileges you can grant or remove for a user. This lets you control what a user can do on your instance.
Users created using Cloud SQL have the same privileges as the
default MySQL user. You can change their privileges by using the
GRANT
or
REVOKE
statements.
When you use the mysql
client to create a user, you must explicitly grant that
user privileges with the GRANT
statement.
For more information about the privileges supported by MySQL, see Privileges Provided by MySQL.
MySQL 8.0 user privileges (cloudsqlsuperuser
)
In Cloud SQL for MySQL 8.0, when you create a new user, the user is
automatically granted the cloudsqlsuperuser
role. The cloudsqlsuperuser
role
is a Cloud SQL role that contains a number of MySQL privileges. This role
gives the user all of the MySQL static privileges, except for SUPER
and FILE
.
The cloudsqlsuperuser
role only supports the following dynamic privileges based on MySQL 8.0 minor versions:
MySQL 8.0.18
MySQL 8.0.26
MySQL 8.0.27
MySQL 8.0.28
APPLICATION_PASSWORD_ADMIN
CONNECTION_ADMIN
ROLE_ADMIN
SET_USER_ID
XA_RECOVER_ADMIN
CLOUDSQL_SPECIAL_VARIABLES_ADMIN
FLUSH_OPTIMIZER_COSTS
FLUSH_STATUS
FLUSH_TABLES
FLUSH_USER_RESOURCES
INNODB_REDO_LOG_ENABLE
SHOW_ROUTINE
AUTHENTICATION_POLICY_ADMIN
GROUP_REPLICATION_STREAM
PASSWORDLESS_USER_ADMIN
AUDIT_ABORT_EXEMPT
MySQL 8.0.29 (deprecated)
APPLICATION_PASSWORD_ADMIN
CONNECTION_ADMIN
ROLE_ADMIN
SET_USER_ID
XA_RECOVER_ADMIN
CLOUDSQL_SPECIAL_VARIABLES_ADMIN
FLUSH_OPTIMIZER_COSTS
FLUSH_STATUS
FLUSH_TABLES
FLUSH_USER_RESOURCES
INNODB_REDO_LOG_ENABLE
SHOW_ROUTINE
AUTHENTICATION_POLICY_ADMIN
GROUP_REPLICATION_STREAM
PASSWORDLESS_USER_ADMIN
AUDIT_ABORT_EXEMPT
SENSITIVE_VARIABLES_OBSERVER
MySQL 8.0.30 and later
APPLICATION_PASSWORD_ADMIN
CONNECTION_ADMIN
ROLE_ADMIN
SET_USER_ID
XA_RECOVER_ADMIN
CLOUDSQL_SPECIAL_VARIABLES_ADMIN
FLUSH_OPTIMIZER_COSTS
FLUSH_STATUS
FLUSH_TABLES
FLUSH_USER_RESOURCES
INNODB_REDO_LOG_ENABLE
SHOW_ROUTINE
AUTHENTICATION_POLICY_ADMIN
GROUP_REPLICATION_STREAM
PASSWORDLESS_USER_ADMIN
AUDIT_ABORT_EXEMPT
SENSITIVE_VARIABLES_OBSERVER
FIREWALL_EXEMPT
The cloudsqlsuperuser
role doesn't support any Data Definition Language (DDL)
operations on the mysql
system database.
To see a complete list of privileges granted to the cloudsqlsuperuser
role,
execute the SHOW GRANTS
statement in the mysql
client:
SHOW GRANTS FOR 'cloudsqlsuperuser'
MySQL 8.4 user privileges (cloudsqlsuperuser
)
Similar to Cloud SQL for MySQL 8.0, in Cloud SQL for MySQL 8.4,
when you create a new user, the user is
automatically granted the cloudsqlsuperuser
role.
In MySQL 8.4, thecloudsqlsuperuser
role has the same privileges as MySQL 8.0.x.
However, MySQL 8.4 has the following main differences with MySQL 8.0.x:
- Removes the
SET_USER_ID
privilege and replaces it with the newly introducedALLOW_NONEXISTENT_DEFINER
andSET_ANY_DEFINER
privileges. - Grants
FLUSH_PRIVILEGES
as a subset of theRELOAD
privilege. This grant isn't a replacement for theRELOAD
privilege, and theRELOAD
privilege is still granted for backwards compatibility. - Grants the new
OPTIMIZE_LOCAL_TABLE
privilege.
In addition, Cloud SQL for MySQL 8.4 doesn't grant the
TRANSACTION_GTID_TAG
or TELEMETRY_LOG_ADMIN
privileges
introduced in MySQL 8.4.
What's next
- Configure the
root
user account for your instance. - Create and manage users.
- Create and manage databases.
- See the MySQL documentation about MySQL users.
- See the MySQL documentation about privileges provided by MySQL.
- Learn about options for connecting to your instance.