You can use the PostgreSQL command-line client to connect to Cloud SQL. This page describes how to connect a
psql
client to your Cloud SQL instance, whether running
locally on your client machine, on a Compute Engine VM,
or in the Cloud Shell.
Before you begin
Before you can use a psql
client to connect to your Cloud SQL
instance, do the following:
-
Create a Cloud SQL instance, including configuring the default user.
See Create instances and Set the password for the default user account.
Optionally, create a Compute Engine VM instance and then connected to the instance using SSH.
See Create and start a VM instance, About SSH connections, or Connect to Windows VMs using RDP.
Determine how you'll connect to your instance.
For the connection options and how to choose from among them, see About connection options.
Use a PostgreSQL client on a local machine or a Compute Engine VM
Using a psql
client to connect to your Cloud SQL
instance involves three high-level tasks:
- Install the client.
- Configure access to your Cloud SQL instance.
- Connect to your Cloud SQL instance.
Install the client
To install the psql
client, do the following:
Debian/Ubuntu
Install the psql client from the package manager:
sudo apt-get update sudo apt-get install postgresql-client
CentOS/RHEL
Install the psql client from the package manager:
sudo yum install postgresql
openSUSE
Install the psql client from the package manager:
sudo zypper install postgresql
Other platforms
- Download the PostgreSQL Core Distribution for your platform from the
PostgreSQL Downloads page.
The Core Distribution includes the psql client. - Install the PostgreSQL database, following the directions on the download page.
Configure access to your Cloud SQL instance
To configure access to your instance, do the following:
- From the client machine or Compute Engine VM instance, use What's my IP to see the IP address of the client machine.
- Copy that IP address.
-
In the Cloud de Confiance console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Select Connections from the SQL navigation menu.
- Select the Networking tab.
- In the Authorized networks section, click Add network and enter the IP address of the machine where the client is installed.
- Click Done. Then click Save at the bottom of the page to save your changes.
- Connect to your instance, either using SSL/TLS or without encryption (without using SSL/TLS).
Connect to your Cloud SQL instance without encryption
To let you connect without encryption, the instance must have
SSL mode
set to ALLOW_UNENCRYPTED_AND_ENCRYPTED
. In the Cloud de Confiance console,
the equivalent configuration is Allow unencrypted network traffic.
For more information about the SSL/TLS configuration of your instance, see Configure SSL/TLS certificates.
To connect to your instance, do the following:
- Confirm that you have installed the client and configured access to your instance.
- Start the
psql
client:psql "sslmode=disable dbname=postgres user=postgres hostaddr=INSTANCE_IP_ADDRESS"
- Enter your password.
- The psql prompt appears.
Connect to your Cloud SQL instance using SSL/TLS
To connect to your instance using SSL/TLS and built-in authentication:
- Start the
psql
client:psql "sslmode=require \ hostaddr=INSTANCE_IP_ADDRESS \ user=postgres dbname=DB_NAME"
For example:
psql "sslmode=require \ hostaddr=203.12.34.56 \ user=postgres dbname=postgres"
You might also want to create a Connection Service File to manage your connection parameters, especially if you are connecting to more than one instance. For more information, see the PostgreSQL documentation.
- Enter the password. The password is mandatory for Cloud SQL even though PostgreSQL supports passwordless connectivity while using SSL/TLS.
- You can confirm that the connection is encrypted by looking for the cipher
in the connection information:
SSL connection (cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128)
Connect to your Cloud SQL instance using SSL/TLS and client certificate verification
If ssl_mode
on your Cloud SQL instance is configured to
TRUSTED_CLIENT_CERTIFICATE_REQUIRED
,
then you must also provide a verified client identity when you log in.
To connect using SSL/TLS certificates with client verification, you need the following:
- A client public key certificate in a client-cert.pem file.
- A client private key in a client-key.pem file.
In addition, to let the client verify the server's identity for mutual authentication, specify the server certificate server-ca.pem.
For example, to start thepsql
client:
psql "sslmode=verify-ca sslrootcert=server-ca.pem \ sslcert=client-cert.pem sslkey=client-key.pem \ hostaddr=INSTANCE_IP_ADDRESS \ user=postgres dbname=DB_NAME"
If you do not have a client certificate and a corresponding private key, then create a new client certificate.
Using the client in the Cloud Shell
To connect to a Cloud SQL instance (public IP only):
- Go to the Cloud de Confiance console.
- Click the Cloud Shell icon
towards the right in the toolbar. The Cloud Shell takes a few moments to initialize.
- At the Cloud Shell prompt, use the built-in
client to connect to your Cloud SQL instance:
gcloud sql connect INSTANCE_ID \ --user=postgres
- Enter your password.
The gcloud sql connect
command does not support connecting
to a Cloud SQL instance using private IP, or using SSL/TLS. To connect
with encryption, install and use the proxy in the Cloud Shell:
- Install the proxy (Linux 64-bit) in the
/home/USER
directory. - Start the proxy, using gcloud CLI authentication:
./cloud-sql-proxy INSTANCE_CONNECTION_NAME &
- Connect to the database by using the TCP connection:
psql -U USERNAME --host=127.0.0.1
What's next
- Learn about configuring an instance with a private IP address.
- Learn about options for connecting to your instance from your application.
- Learn about how the
psql
client works with SSL.