> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-sql.md).

# cloud sql

SureCloud enumerates all Cloud SQL instances across monitored GCP projects and inspects their security configuration. SureCloud checks whether SSL is required for connections, reviews the authorised networks list to detect instances with `0.0.0.0/0` access, verifies that automated backups are enabled with a sufficient retention window, and evaluates database flags for security-relevant settings such as `log_checkpoints`, `log_connections`, and `cross_db_ownership_chaining`. This provides continuous evidence that managed database instances are protected against unauthorised access and data loss.

## Endpoints

| API Call             | Use Case                                                                                                          |
| -------------------- | ----------------------------------------------------------------------------------------------------------------- |
| `sql.instances.list` | Enumerate all Cloud SQL instances in a project                                                                    |
| `sql.instances.get`  | Retrieve full instance configuration including SSL settings, authorised networks, flags, and backup configuration |
| `sql.users.list`     | List database users; detect users without passwords or with overly broad host permissions                         |
| `sql.databases.list` | Enumerate databases on each instance                                                                              |

## Pagination

Cloud SQL API list responses include a `nextPageToken` field when results span multiple pages. SureCloud passes the token as the `pageToken` query parameter in successive requests.

```json
{
  "kind": "sql#instancesList",
  "items": [
    { "name": "my-db-instance", "settings": { "ipConfiguration": { "requireSsl": true, ... } }, ... }
  ],
  "nextPageToken": "Cg9teS1kYi1pbnN0YW5jZQ=="
}
```

## Required permissions

| Role                         | Grants                                                                                  |
| ---------------------------- | --------------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer` | Includes `cloudsql.instances.get`, `cloudsql.instances.list`, and `cloudsql.users.list` |

## Troubleshooting

<details>

<summary>SSL enforcement status shows as disabled when SSL is required</summary>

Cloud SQL has two SSL/TLS settings: `requireSsl` (legacy flag, applies to all connections) and `sslMode` (newer setting with options `ALLOW_UNENCRYPTED_AND_ENCRYPTED`, `ENCRYPTED_ONLY`, and `TRUSTED_CLIENT_CERTIFICATE_REQUIRED`). SureCloud reads both fields. If `requireSsl` is `false` but `sslMode` is `ENCRYPTED_ONLY`, SureCloud treats SSL as enforced.

If the value appears inconsistent, check both fields directly in **Cloud SQL → \[Instance] → Connections → Security** in the Google Cloud Console.

</details>

<details>

<summary>Authorised networks show as empty for instances that have network rules configured</summary>

Instances configured to use **Private IP only** (no public IP) will have an empty authorised networks list — this is the expected and recommended configuration. SureCloud does not flag empty authorised networks on private-IP-only instances as a finding.

If an instance has a public IP but an empty authorised networks list, access is controlled by IAM-based Cloud SQL Auth proxy only, which is also a valid configuration.

</details>

<details>

<summary>Database flags are not appearing for some instances</summary>

Database flags are returned in the `settings.databaseFlags` array of the `instances.get` response. If flags are missing, the instance may not have any flags explicitly configured — in this case the array will be empty, and SureCloud will report the default values for each flag as defined by the Cloud SQL documentation for that database engine version.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-sql.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.