--- title: "Set up Google CloudSQL MySQL | Database Observability documentation" description: "Set up Database Observability for Google CloudSQL MySQL using Grafana Alloy and send telemetry to Grafana Cloud." --- # Set up Google CloudSQL MySQL Set up Database Observability with Grafana Cloud to collect telemetry from Google CloudSQL MySQL instances using Grafana Alloy. You configure your CloudSQL instance and Alloy to forward telemetry to Grafana Cloud. ## What you’ll achieve In this article, you: - Configure CloudSQL MySQL database flags for monitoring. - Create monitoring users with required privileges. - Configure Alloy with the Database Observability components. - Forward telemetry to Grafana Cloud. ## Before you begin Review these requirements: - CloudSQL MySQL 8.0 or later. - Access to modify CloudSQL instance database flags. - Grafana Alloy deployed and accessible to your CloudSQL instance. - Network connectivity between Alloy and your CloudSQL instance (via private IP, public IP with authorized networks, or Cloud SQL Auth Proxy). For general MySQL setup concepts, refer to [Set up MySQL](/docs/grafana-cloud/monitor-applications/database-observability/set-up/mysql/). > Note > > Alloy should connect directly to the database host. Avoid connecting Alloy to the database through a load balancer or connection pooler as it would limit Alloy’s ability to collect accurate telemetry. ## Configure database flags Enable Performance Schema and related instrumentation by adding database flags to your CloudSQL MySQL instance. These flags require an instance restart to take effect. ### Required database flags Expand table | Flag | Value | Notes | |------------------------------------------|--------|------------------| | `performance_schema` | `on` | Requires restart | | `performance_schema_max_digest_length` | `4096` | Requires restart | | `performance_schema_max_sql_text_length` | `4096` | Requires restart | | `max_digest_length` | `4096` | Requires restart | ### Use the Google Cloud console 1. Open the **Cloud Console** and navigate to **Instances** 2. Select your CloudSQL MySQL instance. 3. Click **Edit**. 4. Expand **Flags and parameters** section. 5. Click **Add a database flag** for each flag listed above. 6. Set the flag name and value as specified in the table. 7. Click **Save** to apply the changes. 8. The instance restarts automatically to apply the new flags. For detailed console instructions, refer to [Configure database flags](https://cloud.google.com/sql/docs/mysql/flags) in the Google Cloud documentation. ### Use Terraform Using Terraform with `google_sql_database_instance`: hcl ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```hcl resource "google_sql_database_instance" "instance" { database_version = "MYSQL_8_0" name = "" region = "" settings { database_flags { name = "performance_schema" value = "on" } database_flags { name = "performance_schema_max_digest_length" value = "4096" } database_flags { name = "performance_schema_max_sql_text_length" value = "4096" } database_flags { name = "max_digest_length" value = "4096" } } } ``` Replace the placeholders: - `INSTANCE_NAME`: Your CloudSQL instance name. - `REGION`: GCP region where the instance is deployed. Alternatively, configure flags using the `gcloud` CLI: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash gcloud sql instances patch \ --database-flags=performance_schema=on,performance_schema_max_digest_length=4096,performance_schema_max_sql_text_length=4096, max_digest_length=4096 ``` > Note > > CloudSQL requires an instance restart after changing database flags. The restart happens automatically when you apply the changes. ## Create a monitoring user and grant required privileges Connect to your CloudSQL MySQL instance and create the monitoring user: Create the `db-o11y` user and grant base privileges: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql CREATE USER 'db-o11y'@'%' IDENTIFIED BY ''; GRANT PROCESS, REPLICATION CLIENT ON *.* TO 'db-o11y'@'%'; GRANT SELECT ON performance_schema.* TO 'db-o11y'@'%'; ``` Replace *<DB\_O11Y\_PASSWORD>* with a secure password for the `db-o11y` MySQL user. ## Disable tracking of monitoring user queries Prevent tracking of queries executed by the monitoring user itself: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql UPDATE performance_schema.setup_actors SET ENABLED = 'NO', HISTORY = 'NO' WHERE USER = 'db-o11y'; ``` ## Grant object privileges for detailed data Grant access to specific schemas when you want detailed information: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql GRANT SELECT, SHOW VIEW ON .* TO 'db-o11y'@'%'; ``` Replace *<SCHEMA\_NAME>* with the name of the schema you want to monitor. Alternatively, if you’re unsure which specific schemas need access, grant broader read access to all schemas: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql GRANT SELECT, SHOW VIEW ON *.* TO 'db-o11y'@'%'; ``` ## Grant privileges to auto-enable consumers Grant update privileges for `Performance Schema` consumers if you want Alloy to auto-enable them: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql GRANT UPDATE ON performance_schema.setup_consumers TO 'db-o11y'@'%'; ``` Then, enable the Alloy option `allow_update_performance_schema_settings` as described in the [reference](/docs/alloy/latest/reference/components/database_observability/database_observability.mysql/#arguments) documentation of the `database_observability.mysql` component. Alternatively, enable consumers manually as described in the Set up MySQL guide. ## Verify user privileges Verify that the user exists and has the expected privileges: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql SHOW GRANTS FOR 'db-o11y'@'%'; ``` Expected output: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none +------------------------------------------------------------------------------+ | Grants for db-o11y@% | +------------------------------------------------------------------------------+ | GRANT PROCESS, REPLICATION CLIENT ON *.* TO `db-o11y`@`%` | | GRANT SELECT, SHOW VIEW ON *.* TO `db-o11y`@`%` | | GRANT SELECT ON `performance_schema`.* TO `db-o11y`@`%` | | GRANT INSERT, UPDATE ON `performance_schema`.`setup_actors` TO `db-o11y`@`%` | +------------------------------------------------------------------------------+ ``` ## Verify database flag settings Verify that the settings were applied correctly: SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql SHOW VARIABLES LIKE 'performance_schema'; ``` Expected result: Value is `ON`. SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql SHOW VARIABLES LIKE 'performance_schema_max_digest_length'; ``` Expected result: Value is `4096`. SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql SHOW VARIABLES LIKE 'performance_schema_max_sql_text_length'; ``` Expected result: Value is `4096`. SQL ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```sql SHOW VARIABLES LIKE 'max_digest_length'; ``` Expected result: Value is `4096`. ## Run and configure Alloy Run Alloy and add the Database Observability configuration for your CloudSQL instance. ### Run the latest Alloy version Alloy `1.16.0` or later is required for Database Observability. Find the latest stable version on [Docker Hub](https://hub.docker.com/r/grafana/alloy/tags). To update, refer to the [Alloy release notes](https://github.com/grafana/alloy/releases). ### Add the CloudSQL MySQL configuration blocks Add these blocks to Alloy for CloudSQL MySQL. Replace *<DB\_NAME>*. Create a `local.file` with the Data Source Name string, for example, `:@tcp(:)/`: Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```alloy local.file "mysql_secret_" { filename = "/var/lib/alloy/mysql_secret_" is_secret = true } prometheus.exporter.mysql "mysql_" { data_source_name = local.file.mysql_secret_.content enable_collectors = ["perf_schema.eventsstatements"] perf_schema.eventsstatements { exclude_schemas = ["cloudsqladmin"] text_limit = 0 limit = 100 } } database_observability.mysql "mysql_" { data_source_name = local.file.mysql_secret_.content forward_to = [loki.relabel.database_observability_mysql_.receiver] targets = prometheus.exporter.mysql.mysql_.targets exclude_schemas = ["cloudsqladmin"] cloud_provider { gcp { connection_name = "" } } } loki.relabel "database_observability_mysql_" { forward_to = [loki.write.logs_service.receiver] rule { target_label = "instance" replacement = "" } } discovery.relabel "database_observability_mysql_" { targets = database_observability.mysql.mysql_.targets rule { target_label = "job" replacement = "integrations/db-o11y" } // OPTIONAL: relabel `instance` to `dsn` before overwriting `instance`; // the `dsn` label is used in the integration with the knowledge graph rule { source_labels = ["instance"] target_label = "dsn" } rule { target_label = "instance" replacement = "" } } prometheus.scrape "database_observability_mysql_" { targets = discovery.relabel.database_observability_mysql_.output forward_to = [prometheus.remote_write.metrics_service.receiver] } ``` Replace the placeholders: - `DB_NAME`: Database name Alloy uses in component identifiers (appears in component names and secret filenames). - `CLOUDSQL_CONNECTION_NAME`: Cloud SQL instance connection name in `project:region:instance` format (for example, `my-project:us-central1:my-db`). - `INSTANCE_LABEL`: Value that sets the `instance` label on logs and metrics (optional). - Secret file content DSN example: `DB_USER:DB_PASSWORD@tcp(INSTANCE_IP:DB_PORT)/`. - `DB_USER`: Database user Alloy uses to connect (for example, `db-o11y`). - `DB_PASSWORD`: Password for the database user. - `INSTANCE_IP`: CloudSQL instance IP address (private or public). - `DB_PORT`: Database port number (default: `3306`). Find more about the options supported by the `database_observability.mysql` component in the [reference](/docs/grafana-cloud/send-data/alloy/reference/components/database_observability/database_observability.mysql/) documentation. ### Add Prometheus and Loki write configuration Add the Prometheus remote write and Loki write configuration. From Grafana Cloud, open your stack to get the URLs and generate API tokens: Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```alloy prometheus.remote_write "metrics_service" { endpoint { url = sys.env("GCLOUD_HOSTED_METRICS_URL") basic_auth { password = sys.env("GCLOUD_RW_API_KEY") username = sys.env("GCLOUD_HOSTED_METRICS_ID") } } } loki.write "logs_service" { endpoint { url = sys.env("GCLOUD_HOSTED_LOGS_URL") basic_auth { password = sys.env("GCLOUD_RW_API_KEY") username = sys.env("GCLOUD_HOSTED_LOGS_ID") } } } ``` Replace the placeholders: - `GCLOUD_HOSTED_METRICS_URL`: Your Grafana Cloud Prometheus remote write URL. - `GCLOUD_HOSTED_METRICS_ID`: Your Grafana Cloud Prometheus instance ID (username). - `GCLOUD_HOSTED_LOGS_URL`: Your Grafana Cloud Loki write URL. - `GCLOUD_HOSTED_LOGS_ID`: Your Grafana Cloud Loki instance ID (username). - `GCLOUD_RW_API_KEY`: Grafana Cloud API token with write permissions. ## Run and configure Alloy with the Grafana Kubernetes Monitoring Helm chart Extend your `values.yaml` when you use the k8s-monitoring Helm chart and set `databaseObservability.enabled` to true within the MySQL integration. YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml integrations: collector: alloy-singleton mysql: instances: - name: jobLabel: integrations/db-o11y exporter: enabled: true collectors: perfSchemaEventsStatements: enabled: true dataSource: host: auth: usernameKey: username passwordKey: password databaseObservability: enabled: true allowUpdatePerformanceSchemaSettings: true extraConfig: | exclude_schemas = ["cloudsqladmin"] cloud_provider { gcp { connection_name = "" } } secret: create: false name: namespace: logs: enabled: true labelSelectors: app.kubernetes.io/instance: ``` Replace the placeholders: - `INSTANCE_NAME`: Name for this database instance in Kubernetes. - `INSTANCE_IP`: CloudSQL instance IP address. - `CLOUDSQL_CONNECTION_NAME`: Cloud SQL instance connection name in `project:region:instance` format (for example, `my-project:us-central1:my-db`). - `SECRET_NAME`: Name of the Kubernetes secret containing database credentials. - `NAMESPACE`: Kubernetes namespace where the secret exists. To see the full set of values, check out the k8s-monitoring Helm chart [documentation](https://github.com/grafana/k8s-monitoring-helm/blob/main/charts/k8s-monitoring/charts/feature-integrations/docs/integrations/mysql.md#database-observability) or the [example configuration](https://github.com/grafana/k8s-monitoring-helm/tree/main/charts/k8s-monitoring/docs/examples/features/database-observability/mysql). ## Optional: Configure GCP Secret Manager and Kubernetes If you use GCP Secret Manager with External Secrets Operator to manage database credentials, configure them as follows. ### Secret path convention Store monitoring credentials in GCP Secret Manager with a name following this convention: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none cloudsql--monitoring ``` ### MySQL secret format Store the secret as JSON with the following format: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "username": "db-o11y", "password": "", "host": "", "port": 3306 } ``` Replace the placeholders: - `DB_O11Y_PASSWORD`: Password for the `db-o11y` MySQL user. - `INSTANCE_IP`: CloudSQL instance IP address. - `INSTANCE_NAME`: Your CloudSQL instance name. ### Create the secret via `gcloud` CLI Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash echo '{"username":"db-o11y","password":"","host":"","port":3306}' | \ gcloud secrets create cloudsql--monitoring --data-file=- ``` ### Kubernetes External Secrets configuration Use the External Secrets Operator to sync the GCP secret into Kubernetes: YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```yaml --- apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: -db-monitoring-secretstore spec: provider: gcpsm: projectID: --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: -db-monitoring-secret spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: -db-monitoring-secretstore dataFrom: - extract: key: cloudsql--monitoring ``` > Note > > This example assumes Workload Identity is configured on your GKE cluster. If using a different authentication method, add the appropriate `auth` section to the SecretStore. Refer to [External Secrets GCP SM documentation](https://external-secrets.io/latest/provider/google-secrets-manager/) for details. Replace the placeholders: - `INSTANCE_NAME`: CloudSQL instance name. - `GCP_PROJECT_ID`: Google Cloud project ID. ## Next steps For an overview of key concepts, refer to [Introduction to Database Observability](/docs/grafana-cloud/monitor-applications/database-observability/introduction/). For troubleshooting during setup, refer to [Troubleshoot](/docs/grafana-cloud/monitor-applications/database-observability/troubleshoot/).