Connect from Cloud Build

This page contains information and examples for connecting to a Cloud SQL instance from a service running in Cloud Build.

Cloud SQL is a fully-managed database service that helps you set up, maintain, manage, and administer your relational databases in the cloud.

Cloud Build is a service that executes your builds on Google Cloud infrastructure.

The steps to configure Cloud Build depend on the type of IP address that you assigned to your Cloud SQL instance.

Public IP (default)

Make sure your Cloud Build service account has the IAM roles and permissions required to connect to the Cloud SQL instance. The Cloud Build service account is listed on the Google Cloud console IAM page as the Principal [YOUR-PROJECT-NUMBER]@cloudbuild.gserviceaccount.com.

To view this service account in the Google Cloud console, select the Include Google-provided role grants checkbox.

Your Cloud Build service account needs the Cloud SQL Client IAM role.

If the Cloud Build service account belongs to a different project than the Cloud SQL instance, then the Cloud SQL Admin API and the role need to be added for both projects.

Private IP

To connect to your Cloud SQL instance over private IP, Cloud Build must be in the same VPC network as your Cloud SQL instance. To configure this:

Set up a private connection between the VPC network of your Cloud SQL instance and the service producer network.
Create a Cloud Build private pool.

Once configured, your application will be able to connect directly using your instance's private IP address and port 5432 when your build is run in the pool.

After you configure Cloud Build, you can connect to your Cloud SQL instance.

Public IP (default)

For public IP paths, Cloud Build supports both Unix and TCP sockets.

Connect with TCP

Connect with Unix sockets

Once correctly configured, you can connect your service to your Cloud SQL instance's Unix domain socket accessed on the environment's filesystem at the following path: /cloudsql/INSTANCE_CONNECTION_NAME.

The INSTANCE_CONNECTION_NAME uses the format project:region:instance-id. You can find it on the Overview page for your instance in the Google Cloud console or by running the following command:

gcloud sql instances describe [INSTANCE_NAME]

These connections are automatically encrypted without any additional configuration.

The code samples shown below are extracts from more complete examples on the GitHub site. Click View on GitHub to see more.

You can use the Cloud SQL Auth Proxy in a Cloud Build step to allow connections to your database. This configuration:

Builds your container and pushes it to Artifact Registry.
Builds a second container, copying in the Cloud SQL Auth Proxy binary.

Containers built by Cloud Build don't need to be pushed to any registry and are discarded on build completion.

Using the second container, starts the Cloud SQL Auth Proxy and runs any migration commands.

steps:
  - id: install-proxy
    name: gcr.io/cloud-builders/wget
    entrypoint: sh
    args:
      - -c
      - |
        wget -O /workspace/cloud-sql-proxy https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/2.21.1
        chmod +x /workspace/cloud-sql-proxy

 - id: migrate
    waitFor: ['install-proxy']
    name: YOUR_CONTAINER_IMAGE_NAME
    entrypoint: sh
    env:
      - "DATABASE_NAME=${_DATABASE_NAME}"
      - "DATABASE_USER=${_DATABASE_USER}"
      - "DATABASE_PORT=${_DATABASE_PORT}"
      - "INSTANCE_CONNECTION_NAME=${_INSTANCE_CONNECTION_NAME}"
    secretEnv:
      - DATABASE_PASS
    args:
      - "-c"
      - |
        /workspace/cloud-sql-proxy ${_INSTANCE_CONNECTION_NAME} --port ${_DATABASE_PORT} & sleep 2;
        # Cloud SQL Proxy is now up and running, add your own logic below to connect
        python migrate.py # For example

  options:
    dynamic_substitutions: true

  substitutions:
    _DATABASE_USER: myuser
    _DATABASE_NAME: mydatabase
    _INSTANCE_CONNECTION_NAME: ${PROJECT_ID}:us-central1:myinstance
    _DATABASE_PORT: '5432'
    _DATABASE_PASSWORD_KEY: database_password
    _AR_REPO_REGION: us-central1
    _AR_REPO_NAME: my-docker-repo
    _IMAGE_NAME: ${_AR_REPO_REGION}-docker.pkg.dev/${PROJECT_ID}/${_AR_REPO_NAME}/sample-sql-proxy

  availableSecrets:
    secretManager:
      - versionName: projects/$PROJECT_ID/secrets/${_DATABASE_PASSWORD_KEY}/versions/latest
        env: "DATABASE_PASS"

The Cloud Build code sample shows how you might run a hypothetical migrate.py script after deploying the previous sample app to update its Cloud SQL database using the Cloud SQL Auth Proxy and Cloud Build. To run this Cloud Build code sample the setup steps required are:

Create a folder name sql-proxy
Create a Dockerfile file in the sql-proxy folder with the following single line of code for its file contents:
```
    FROM gcr.io/gcp-runtimes/ubuntu_20_0_4
    
```
Create a cloudbuild.yaml file in the sql-proxy folder.
Update the cloudbuild.yaml file:
1. Copy the previous sample Cloud Build code and paste it into the cloudbuild.yaml file.
2. Replace the following placeholder values with the values used in your project:
  - mydatabase
  - myuser
  - myinstance
Create a secret named database_password in Secret Manager.
- In order for the Cloud Build service account to access this secret, you have to grant it the Secret Manager Secret Accessor role in IAM. See Using secrets from Secret Manager for more information.
Create a migrate.py script file in the sql-proxy folder.
- The script can reference the following environment variables and the secret created in the cloudbuild.yaml file using the following examples:
  - os.getenv('DATABASE_NAME')
  - os.getenv('DATABASE_USER')
  - os.getenv('DATABASE_PASS')
  - os.getenv('INSTANCE_CONNECTION_NAME')
- To reference the same variables from a Bash script (for example: migrate.sh) use the following examples:
  - $DATABASE_NAME
  - $DATABASE_USER
  - $DATABASE_PASS
  - $INSTANCE_CONNECTION_NAME
Run the following gcloud builds submit command to build a container with the Cloud SQL Auth Proxy, start the Cloud SQL Auth Proxy, and run the migrate.py script:
```
    gcloud builds submit --config cloudbuild.yaml
    
```

Private IP

For private IP paths, your application connects directly to your instance through private pools. This method uses TCP to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.

Connect with TCP

Connect using the private IP address of your Cloud SQL instance as the host and port 5432.

You can then create a Cloud Build step to run your code directly.

The Cloud Build code sample above shows how you might run a hypothetical migrate script after deploying the sample app above to update its Cloud SQL database using Cloud Build. To run this Cloud Build code sample the setup steps required are:

Create a folder name sql-private-pool
Create a Dockerfile file in the sql-private-pool folder with the following single line of code for its file contents:
```
FROM gcr.io/gcp-runtimes/ubuntu_20_0_4
```
Create a cloudbuild.yaml file in the sql-private-pool folder.
Update the cloudbuild.yaml file:
1. Copy the sample Cloud Build code above and paste it into the cloudbuild.yaml file.
2. Replace the following placeholder values with the values used in your project:
  - mydatabase
  - myuser
  - databasehost, in the form host:port.
Create a secret named database_password in Secret Manager.
- In order for the Cloud Build service account to access this secret, you will have to grant it the Secret Manager Secret Accessor role in IAM. See Using secrets from Secret Manager for more information.
Create a migrate.py script file in the sql-proxy folder.
- The script can reference the following environment variables and the secret created in the cloudbuild.yaml file using the following examples:
  - os.getenv('DATABASE_NAME')
  - os.getenv('DATABASE_USER')
  - os.getenv('DATABASE_PASS')
  - os.getenv('DATABASE_HOST')
- To reference the same variables from a Bash script (for example: migrate.sh) use the following examples:
  - $DATABASE_NAME
  - $DATABASE_USER
  - $DATABASE_PASS
  - $DATABASE_HOST
Run the following gcloud builds submit command to build a container with the Cloud SQL Auth Proxy, start the Cloud SQL Auth Proxy, and run the migrate.py script:
```
gcloud builds submit --config cloudbuild.yaml
```

By configuring Cloud Build to connect to Cloud SQL, you can run database schema migration tasks in Cloud Build using the same code you would deploy to any other serverless platform.