Skip to content

Access MySQL, MariaDB, or PostgreSQL

Required roles

To follow the steps in this guide, you need the following roles:

Prerequisites

To follow the steps in this guide, make sure that you meet the following prerequisites:

  • You downloaded and installed a database client such as MySQL Shell, PostgreSQL Shell, or pgAdmin on your local computer.
  • You created a firewall rule that allows IAP to connect to port 3306 (MySQL, MariaDB) or port 5432 (PostgreSQL) of the database VM.

You can use IAP Desktop to access MySQL, MariaDB, or PostgreSQL in two ways:

  1. You can let IAP Desktop launch and connect the database client for you. IAP Desktop automatically establishes an IAP TCP forwarding tunnel and keeps the tunnel open until you close the client application.

    This is the most convenient option, but it only works for client applications that allow connection details (server name, port number) to be passed as a command line parameter. These include the command-line clients for MySQL, MariaDB, and PostgreSQL, but not MySQL Workbench or pgAdmin.

  2. You can let IAP Desktop open a tunnel. You can then use any tool to connect to that tunnel and the tunnel remains open until you close IAP Desktop.

    This option is slightly less convenient, but works with most client applications, including MySQL Workbench and pgAdmin.

The way IAP Desktop uses IAP-TCP to connect to MySQL, MariaDB, or PostgreSQL differs depending on whether you're running the database on Compute Engine or using Cloud SQL:

If you're running MySQL, MariaDB, or PostgreSQL on Compute Engine, you don't need any additional VM to let IAP Desktop connect to the database. The only prerequisite is a firewall rule that allows IAP-TCP to connect to port 3306 (MySQL, MariaDB) or port 5432 (PostgreSQL) of the database VM.

Connect to MySQL, MariaDB, or PostgreSQL

If you're using Cloud SQL for MySQL or PostgreSQL, you need an additional VM that runs the Cloud SQL Auth Proxy . This VM is necessary because IAP-TCP doesn't support creating tunnels to managed services such as Cloud SQL.

Connect to MySQL, MariaDB, or PostgreSQL

To deploy a Cloud SQL Auth Proxy VM, see Set up a Cloud SQL Proxy VM.

Connect the database client

To launch and connect a client application automatically, do the following:

  1. In the Project Explorer tool window, right-click your database VM and select Connect client application > MySQL Shell.

    Connect MySQL shell

    Note

    If you don't see the menu entry, then IAP Desktop wasn't able to find a supported version of the MySQL command-line client on your computer.

  2. IAP Desktop now creates an IAP TCP forwarding tunnel and launches the MySQL command-line client.

  1. In the Project Explorer tool window, right-click your database VM and select Connect client application > PostgreSQL Shell.

    Note

    If you don't see the menu entry, then IAP Desktop wasn't able to find a supported version of the PostgreSQL command-line client on your computer.

  2. IAP Desktop now creates an IAP TCP forwarding tunnel and launches the PostgreSQL command-line client.

You can register additional database clients by creating an IAP Application Protocol Configuration (IAPC).

Open a tunnel

You can let IAP Desktop open a tunnel and connect to tha tunnel by doing the following:

  1. In the Project Explorer tool window, right-click your database VM and select Tunnel to > MySQL/MariaDB.

    Open tunnel

    A notification appears:

    Baloon notification

  2. Launch MySQL Workbench.

  3. In MySQL Workbench, go to Database > Connect to database.

  4. In the Connect to database dialog, configure the following:

    • Hostname: 127.0.0.1
    • Port: Enter the port number indicated in the notification.

  5. Click OK.

  1. In the Project Explorer tool window, right-click your database VM and select Tunnel to > PostgreSQL.

    A notification appears:

    Baloon notification

  2. Launch pgAdmin.

  3. Click Add new server.
  4. In the Register server dialog, enter a name for the server.

  5. Switch to the Connection tab and configure the following:

    • Host name/address: 127.0.0.1
    • Port: Enter the port number indicated in the notification.

  6. Click Save.

You can register additional database clients by creating an IAP Application Protocol Configuration (IAPC).

To view all active tunnels and their port numbers, select View > Active IAP tunnels in the main menu.

Note

When you open a tunnel to the same VM again in the future, IAP Desktop will use the same port number unless it's in use by a different application.