Skip to main content

Cloud SQL Auth Proxy – Usage & Configuration Guide

This guide explains how to use and maintain the Cloud SQL Auth Proxy service running on our VM. It allows secure, encrypted connections to our Google Cloud SQL instance.

1. Overview

  • Service name: cloud-sql-proxy
  • Purpose: Secure TCP proxy to connect to Cloud SQL using SSL with no certificates needed
  • Default port: 33785 (Each next DB uses default port + 1)
  • Default IP: 172.20.0.30
  • Auth method: Google Cloud service account JSON

2. How to Connect

Connect as you normally would, but use the IP and port above.

Current port mapping:

  • mysql-judodata-8-4 => 33785
  • test-migration-of-side-projects-v5 => 33786

3. Check Service Status

# Check if running
sudo systemctl status cloud-sql-proxy

# View logs
sudo journalctl -u cloud-sql-proxy -f

4. Restart or Stop the Service

# Restart after config change
sudo systemctl restart cloud-sql-proxy

# Stop temporarily
sudo systemctl stop cloud-sql-proxy

5. Configuration

Config file is stored at:

/opt/cloud-sql-proxy/config.toml

Example format:

port = 3306
address = "0.0.0.0"
credentials-file = "/opt/cloud-sql-proxy/service-account.json"

# Instances
instance-connection-name-0 = "project:region:instance0"
instance-connection-name-1 = "project:region:instance1"

Note: Always use absolute paths for credentials-file.

After modifying config.toml, run:

sudo systemctl restart cloud-sql-proxy

6. Adding Another Instance

  1. Edit /opt/cloud-sql-proxy/config.toml
  2. Add another instance-connection-name-x line:
instance_connection_name-x = "project:region:instanceX"
  1. Restart the service:
sudo systemctl restart cloud-sql-proxy
  1. Instance should be accessible on port DEFAULT_PORT + X

7. Security Notes

  • Keep service-account.json permissions strict:
sudo chmod 640 /opt/cloud-sql-proxy/service-account.json
sudo chown cloudsql:cloudsql /opt/cloud-sql-proxy/service-account.json
  • The proxy should only listen on needed interfaces (address in config).
  • Never commit credentials to version control.

8. Troubleshooting

  • Port already in use → Check if another service is running on that port:
sudo lsof -i <PORT>
  • Public Key Retrieval error → Add allowPublicKeyRetrieval=true in your client settings.
  • Service won’t start → Check logs:
sudo journalctl -u cloud-sql-proxy --since "5 minutes ago"