Provided by: cloudsql-proxy_1.13-1_amd64 
NAME
cloud_sql_proxy - connect securely to a 2nd generation cloud sql database
SYNOPSIS
cloud_sql_proxy
DESCRIPTION
The Cloud SQL Proxy allows simple, secure connectivity to Google Cloud SQL. It is a long-running process
that opens local sockets (either TCP or Unix sockets) according to the parameters passed to it. A local
application connects to a Cloud SQL instance by using the corresponding socket.
Authorization
By default, the proxy will authenticate under the default service account of the Compute Engine VM it is
running on. Therefore, the VM must have at least the sqlservice.admin API scope
⟨https://www.googleapis.com/auth/sqlservice.admin⟩ and the associated project must have the SQL Admin API
enabled. The default service account must also have at least WRITER/EDITOR privileges to any projects of
target SQL instances.
• On Google Compute Engine, the default service account is used. The Cloud SQL API must be enabled for
the VM.
• When the gcloud command-line tool is installed on the local machine, the active account is used for
authentication. Run 'gcloud auth list' to see which accounts are installed on your local machine and
'gcloud config list account' to view the active account.
• To configure the proxy using a service account, pass the -credential_file parameter or set the
GOOGLE_APPLICATION_CREDENTIALS environment variable. This will override gcloud or GCE (Google
Compute Engine) credentials, if they exist.
OPTIONS
General
-quiet Disable log messages (e.g. when new connections are established). WARNING: this option disables
ALL logging output (including connection errors), which will likely make debugging difficult. The
-quiet flag takes precedence over the -verbose flag.
-verbose
When explicitly set to false, disable log messages that are not errors nor first-time startup
messages (e.g. when new connections are established
or closed without errors).
-version
Print the version of the proxy and exit
Connection
-credential_file
If provided, this json file will be used to retrieve Service Account credentials. You may set the
GOOGLE_APPLICATION_CREDENTIALS environment variable for the same effect.
-token When set, the proxy uses this Bearer token for authorization
-max_connections
If provided, the maximum number of connections to establish before refusing new connections.
Defaults to 0 (no limit)
-instances
To connect to a specific list of instances, set the instances parameter to a comma-separated list
of ully qualified instance connection strings (project:region:name). For example:
-instances=my-project:my-region:my-instance
For connectivity over TCP, you must specify a tcp port as part of the instance string. For
example, the following example opens a loopback TCP socket on port 3306, which will be proxied to
connect to the instance 'my-instance' in project 'my-project':
-instances=my-project:my-region:my-instance=tcp:3306
When connecting over TCP, the -instances parameter is required.
Supplying INSTANCES environment variable achieves the same effect. One can use that to keep k8s
manifest files constant across multiple environments. If the name has the suffix '=tcp:port', a
TCP server is opened on the specified port to proxy to that instance. Otherwise, one socket file
per instance is opened in dir. You may use INSTANCES environment variable for the same effect.
Using both will use value from flag. Not compatible with -fuse
-instances_metadata
When running on GCE (Google Compute Engine) you can avoid the need to specify the list of
instances on the command line by using the Metadata server. This parameter specifies a path to a
metadata value which is then polled for a comma-separated list of fully qualified instances
(project:region:name) to connect to in the exactly the same way as the -instances parameter.
Updates to the metadata value will be observed and acted on by the Proxy. For example, to use the
instance metadata value named cloud-sql-instances you would provide instance/attributes/cloud-sql-
instances.
-check_region
If specified, the region portion of the connection string is required for Unix socket-based
connections.
-projects
To direct the proxy to open connections for each Cloud SQL Instance in the comma-separated list of
projects specified, set the projects parameter:
-projects=my-project
-refresh_config_throttle
If set, this flag specifies the amount of forced sleep between successive API calls in order to
protect client API quota. Minimum allowed value is 1s
-dir When using Unix sockets (the default for systems which support them), the Proxy places the sockets
representing database instances in the directory specified by the -dir parameter.
-fuse If your local environment has FUSE installed, you can specify the -fuse flag to avoid the
requirement to specify instances in advance. Mount a directory at dir using FUSE for accessing
instances. Note that the directory at dir must be empty before this program is started. With
FUSE, any attempts to open a Unix socket in the directory specified by -dir automatically creates
that socket and connects to the corresponding instance.
-fuse_tmp
Used as a temporary directory if -fuse is set. Note that files in this directory can be removed
automatically by this program.
Automatic instance discovery
If the Google Cloud SQL is installed on the local machine and no instance connection flags are specified,
the proxy connects to all instances in the gcloud tool's active project. Run 'gcloud config list project'
to display the active project.
FILES
Credentials
By default user account credentials are acquired by gcloud auth login and stored locally on the
system. gcloud auth activate-service-account authorizes access using a service account. As with
gcloud init and gcloud auth login, this command saves the service account credentials to the local
system on successful completion and sets the specified account as the active account in your Cloud
SDK configuration. To configure the proxy using a service account, pass the -credential_file
parameter or set the GOOGLE_APPLICATION_CREDENTIALS environment variable. This will override
gcloud or GCE (Google Compute Engine) credentials, if they exist.
sockets directory
When using Unix sockets (the default for systems which support them), the Proxy places the sockets
rep‐ resenting database instances in the directory specified by the -dir parameter. With FUSE one
can also interact with the proxy using thius directory to specify instances of cloud SQL databases
to connect to on the fly.
/dev/fuse
Optional functionality can be enabled ( --fuse ) with access to /dev/fuse as well as the
fusermount binary.
SEE ALSO
fusermount(1), mount(8), mount.fuse(8), ulockmgr_server(1), mysql(1), postgres(1).
BUGS
The upstream issue reporting system is at github ⟨https://github.com/GoogleCloudPlatform/cloudsql-
proxy/issues⟩
AUTHOR
Manoj Srivastava <srivasta@google.com>