---
title: Cloud SQL instance with contained database authentication on
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Cloud SQL instance with contained database
  authentication on
---

# Cloud SQL instance with contained database authentication on

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-cloud-sql-instance-with-contained-database-authentication-on` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** High

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags)

### Description{% #description %}

Cloud SQL for SQL Server instances must have Contained Database Authentication disabled. Contained database users authenticate at the database level, bypassing server-level authentication and centralized IAM controls. This increases the risk of unauthorized access and unmanaged credentials.

For Ansible `google.cloud.gcp_sql_instance` or `gcp_sql_instance` resources, ensure `settings.database_flags` includes an entry with `name: "contained database authentication"` and `value: "off"`. Resources that omit this flag or set it to any value other than `"off"` are flagged. The check evaluates the `settings.database_flags` entries.

Secure configuration example:

- name: Create Cloud SQL SQL Server instance google.cloud.gcp_sql_instance: name: my-sqlserver-instance database_version: SQLSERVER_2019_STANDARD settings: database_flags: - name: contained database authentication value: "off"

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: name1
        value: value1
      tier: db-n1-standard-1
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: contained database authentication
        value: on
      tier: db-n1-standard-1
    state: present
```