Google PostgreSQL Reference

Last Updated February 26, 2025

This topic gives you reference information about the Google PostgreSQL service (csb-google-postgres). It details the plans, configuration parameters, and binding credentials.

Plans

A default plan becomes available when installing the tile. This plan is for reference only, and is not intended for production use. Remove this default plan and create plans that fit your requirements.

Plan Configuration Parameters

When configuring Cloud Service Broker for GCP you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for GCP.

The following table lists parameters that can be configured at a plan level:

Parameter name	Values	Default	Required
`name`	The plan name.	n/a	Yes
`id`	A unique GUID.	n/a	Yes
`description`	Description of the new plan.	n/a	Yes
`display_name`	Name to use when displaying the plan in the Marketplace.	n/a	No
`free`	When false, service instances of this service plan have a cost.	true	No
`bindable`	Specifies whether service instances of the service plan can bind to applications.	true	No
`plan_updateable`	Specifies whether the plan supports upgrade/downgrade/sidegrade to another version.	true	No
`metadata.displayName`	Name to use when displaying the plan in the Marketplace.	n/a	No
`metadata.bullets`	List of bullet points to display in Apps Manager.	n/a	No

You can also add any of the configuration parameters listed in the parameters section to your plan.

To create plans with specific sizes and versions, set the tier, storage_gb, and postgres_version properties.

If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.

Caution When editing a plan configuration, consider the implications for existing services. If you change a default value, this value is applied to existing service instances when they are updated. For example, if you change the region, then when a service instance is updated, an attempt is made to change the region. This is not a supported operation in GCP and might result in data loss.

Configuration Parameters

You can provision a service by running:

cf create-service csb-google-postgres PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

You can update the configuration parameters for a service instance by running:

cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

The following table lists the parameters that you can configure, by using the -c flag, when provisioning or updating a csb-google-postgres service. The Operation column displays whether a parameter is supported for both provision and update, or for provision only:

Parameter Name	Type	Description	Default	Operation
`tier`	string	Required unless defined in plan. Google machine tier. This determines the CPU and RAM resource. It can be a legacy machine type, such as `db-f1-micro`, `db-g1-small`, `db-n1-standard-8`, `db-n1-highmem-16`, or a custom machine type such as `db-custom-8-8192`. For more information about machine types, see the Google Cloud documentation.	None	provision and update
`postgres_version`	string	Required unless defined in the plan. The version for the PostgreSQL instance. `POSTGRES_11`, `POSTGRES_12`, `POSTGRES_13`, or `POSTGRES_14`, `POSTGRES_15`.	`POSTGRES_13`	provision
`storage_gb`	number	Size of storage volume for service instance. 10–4096 GB. To change this value, set the `disk_autoresize` to false.	`10`	provision and update
`disk_autoresize`	boolean	Enables auto-resizing of the storage size. When this is enabled, the `storage_gb` value is ignored. The auto-resize functionality will adjust the storage capacity dynamically, ensuring that the database does not run out of storage.	`true`	provision and update
`disk_autoresize_limit`	number	The maximum size in GB to which storage capacity can be automatically increased. The default value is `0`, which specifies that there is no limit, allowing the storage to grow as needed up to the provider's maximum.	`0`	provision and update
`instance_name`	string	Name for the PostgreSQL instance.	`csb-postgres-INSTANCE-ID`	provision
`db_name`	string	Name for the database.	`csb-db`	provision
`region`	string	The region of the PostgreSQL instance.	The value the operator entered for Region in Tanzu Operations Manager.	provision
`require_ssl`	boolean	Require TLS for the connection between PostgreSQL and the apps bound to the service.	`true`	provision and update
`authorized_network`	string	The name of the Google Compute Engine network to which the instance is connected. The `authorized_network_id` takes precedence if set.	`default`	provision and update
`authorized_network_id`	string	Self link of the Google Compute Engine network to which the instance is connected. It has the format `https://www.googleapis.com/compute/v1/projects/PROJECT-NAME/global/networks/VPC-NAME`.	The value the operator entered for authorized_network_id in Tanzu Operations Manager. If that is empty then `authorized_network` is used.	provision and update
`authorized_networks_cidrs`	array	CIDR notation IPv4 or IPv6 addresses that are allowed to access this instance.	`[]`	provision and update
`public_ip`	Boolean	Assigns a static public IPv4 IP to the database. You must configure `authorized_networks_cidrs` on the selected network to enable access. For more information, see the Google Cloud documentation.	`false`	provision and update
`backups_retain_number`	integer	The number of backups to retain. Set this to zero to deactivate backups.	`7`	provision and update
`backups_location`	string	The location where backups are stored.	`us`	provision and update
`backups_start_time`	string	Start of the backup time window in UTC.	`07:00`	provision and update
`backups_point_in_time_log_retain_days`	integer	The number of days to retain point in time logs. Set to zero to deactivate point in time logging. Before you set this property, you must first enable backups using the `backups_retain_number` property.	`7`	provision and update
`highly_available`	boolean	Enable regional high availability for the service instance. This results in a hot standby instance deployed to a different zone in the same region, and affects billing accordingly. Requires `backups_point_in_time_log_retain_days` and `backups_retain_number` properties other than zero. For more information, see the Google Cloud Documentation.	`false`	provision and update
`location_preference_zone`	string	Preferred zone in the instance region for the primary instance in a highly available setup. For example, `a` or `c`. When not specified, one of the available zones is chosen automatically. For a list of available zones, see the Google Cloud Documentation.	`""`	provision and update
`location_preference_secondary_zone`	string	Preferred zone in the instance region for the standby instance in a highly available setup. For example, `b` or `f`. In a highly available configuration, when the secondary zone is not specified, a zone other than the one specified for the primary instance is chosen automatically. For a list of available zones, see the Google Cloud Documentation.	`""`	provision and update
`credentials`	string	The GCP credentials.	The value the operator entered for Credentials in Tanzu Operations Manager.	provision and update
`project`	string	The GCP project to use.	The value the operator entered for Project in Tanzu Operations Manager.	provision

Binding

You can bind a service by running:

cf bind-service APP-NAME SERVICE-INSTANCE-NAME --binding-name BINDING-NAME

A binding or service key corresponds to a user in PostgreSQL. By default, PostgreSQL users do not have have access to data written by other users.

For bindings to have access to the same data, the public schema can be used, or a schema can be created and access can be granted to other users.

When a binding or service key is deleted, data that the PostgreSQL user owns is re-assigned to a role called binding_user_group before the user is deleted. This ensures that other bindings still have access to the data.

Binding Process

For each new binding, the Google PostgreSQL service creates a new user with the role binding_user_group. When the binding is deleted, all the objects the user owns are re-assigned to the role binding_user_group, and the user is deleted.

The client certificate exposed through the binding credentials is created during provisioning, and is shared between all binding users. The client certificate is managed in this manner for the following reasons:

Each CloudSQL instance is limited to 10 certificates. For more information, see the Google Cloud documentation.
The lifetime of a client certificate is set to 10 years.
The client certificate is used to authorize only the connection and never the user.

Currently, the Google PostgreSQL service does not provide a mechanism for TLS certificate rotation.

Binding Credentials

The format for binding credentials for Google PostgreSQL is as follows:

{
    "name" : "DATABASE-NAME",
    "hostname" : "DATABASE-SERVER-HOST",
    "port" : "DATABASE-SERVER-PORT",
    "username" : "AUTHENTICATION-USERNAME",
    "password" : "AUTHENTICATION-PASSWORD",
    "require_ssl" : true,
    "uri" : "DATABASE-CONNECTION-URI",
    "jdbcUrl" : "JDBC-FORMAT-CONNECTION-URL",
    "sslcert" : "SSL_CLIENT_CERT",
    "sslkey" : "SSL_CLIENT_CERT_KEY",
    "sslrootcert" : "SSL_ROOT_CERT"
}

Content feedback and comments

Tanzu Cloud Service Broker for GCP 1.8