Google Cloud SQL Postgres
text-to-SQL, no AlloyDB migration
- Verified read-only SQL
- Text-to-SQL agent for Google Cloud SQL
- Reusable AI SQL skills you export to Claude Code, Cursor & Codex
Point Chion at your Google Cloud SQL for PostgreSQL instance and ask questions in plain English ("average order value by category last month?", "new signups by week?"). It turns each question into verified, read-only text-to-SQL, runs it against your data (or a read replica), and shows you the answer as a chart. No Gemini or AlloyDB migration required, and every query is yours to export to Claude Code. Verified, read-only SQL, without locking into Gemini or AlloyDB.
Read-only by code, verified line-by-line, capped at 1,000 rows. Accuracy you can trace, not just trust.
Chion turns your Google Cloud SQL for PostgreSQL into an AI analyst for Cloud SQL, built for conversation-driven analytics. Connect read-only, ask in plain English, and turn every verified query into a reusable skill with the skills generator. Credentials are wrapped in an AES-256-GCM vault, every query runs as a read-only SELECT capped at 1,000 rows, and the row-level security on the role you provide is honored on every call. It is an AI workforce that writes SQL your team can point at a Cloud SQL replica in two minutes.
Run AI on the Cloud SQL you already have
What changes when your PostgreSQL lives on Google Cloud SQL.
Direct IP + SSL vs the Auth Proxy
Connect read-only over SSL in two minutes, Auth Proxy optional. Public IP with sslmode=require is the simplest path. The Cloud SQL Auth Proxy adds IAM-managed connections; both work with Chion. Pick the proxy if your security policy requires IAM-brokered access.
Chion vs. Cloud SQL's built-in Gemini text-to-SQL
Google's natural-language SQL generation ships as the alloydb_ai_nl extension on AlloyDB, brokered through Gemini, so Cloud SQL Postgres users must migrate to get it. AlloyDB AI's value-linking and query templates run deep if you have already committed to AlloyDB; Chion runs verified, read-only text-to-SQL on the Cloud SQL instance you already have, model-agnostic, so your verified SQL skills outlive any one vendor's AI.
Authorized networks, not open access
Under Connections → Networking, add an authorized network scoped to the Chion IP range rather than opening the instance to the internet. The same least-privilege posture runs through Chion's security model.
Run questions on a read replica with zero load on your primary
Create a read replica and point Chion at it to offload analytics from the primary. Chion only ever issues SELECTs, so a replica is a perfect fit for read-heavy question workloads.
Private Service Connect and Private IP
PSC and private-only instances require VPC-originating connections. Expose a public endpoint or run a TCP proxy on a VM that Chion can reach over the public internet.
Cloud SQL IAM database authentication (roadmap)
Chion authenticates today with a dedicated read-only role and password. IAM database authentication is on the enterprise roadmap. See how Chion compiles a verified SQL pipeline end to end.
Example question & SQL
See what Chion generates from a plain-English question.
You ask
"Average order value by product category last month"
Chion generates
SELECT
p.category,
AVG(oi.unit_price * oi.quantity) AS avg_order_value
FROM order_items oi
JOIN products p ON p.id = oi.product_id
JOIN orders o ON o.id = oi.order_id
WHERE o.created_at >= date_trunc('month', now()) - interval '1 month'
AND o.created_at < date_trunc('month', now())
GROUP BY p.category
ORDER BY avg_order_value DESC;Create a read-only Postgres role
Run this once before you connect. Chion enforces read-only at the SQL validator, but a least-privilege role is the canonical pattern.
CREATE ROLE chion_read LOGIN PASSWORD '<strong-password>';
GRANT CONNECT ON DATABASE <dbname> TO chion_read;
GRANT USAGE ON SCHEMA public TO chion_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO chion_read;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO chion_read;Replace <dbname> with your database name. The ALTER DEFAULT PRIVILEGES line ensures new tables are auto-readable.
Connection string format
Reference for parsing. Chion accepts the six fields directly, no string concatenation needed.
postgresql://chion_read:<password>@<public-ip>:5432/<dbname>?sslmode=requireFinding your Google Cloud SQL for PostgreSQL credentials
GCP Console → SQL → [your instance] → Overview page
| Field | Where to Find | Default |
|---|---|---|
| Server (Host) | Overview → Connect to this instance → Public/Private IP | IP address (e.g., 34.x.x.x) |
| Port | Not prominently displayed; always default | 5432 |
| Database | Databases tab in left sidebar | postgres |
| Schema | Not in console; default is public | public |
| User | Users tab in left sidebar | postgres |
| Password | Users tab → three-dot menu → Change password | Set at creation or via Users tab |
Quick steps
- 1.Log in at console.cloud.google.com
- 2.Navigate to SQL from the left sidebar
- 3.Click your PostgreSQL instance name
- 4.Overview page → under "Connect to this instance," copy the Public IP address
- 5.Click Databases in the left sidebar to see available databases
- 6.Click Users to see usernames; use the three-dot menu to change/reset a password
- 7.Port is always 5432
Google recommends using the Cloud SQL Auth Proxy for production connections. For Chion, direct IP + SSL works for initial setup.
Open Google Cloud SQL for PostgreSQL consoleGoogle Cloud SQL for PostgreSQL troubleshooting
Common issues and how to fix them.
Connection refused: no authorized network
In the GCP Console, go to your Cloud SQL instance → Connections → Networking → add an authorized network with the Chion IP range. For initial testing, scope the rule to your laptop's egress IP, then narrow to the Chion IP range before going live. Avoid opening the instance to the internet.
Cannot find Public IP
On the instance Overview page, look for "Connect to this instance" → Public IP address. If only Private IP is shown, you need to enable a public IP under Connections → Networking.
Password reset
Go to Users tab → click the three-dot menu next to your user → Change password. The change is immediate.
Read replica routing
For read-heavy workloads, create a Cloud SQL read replica and point Chion at the replica's public IP. Chion only issues SELECT statements, so a read replica is sufficient and offloads load from the primary.
Official Google Cloud SQL for PostgreSQL documentation
Authoritative references from the provider. Opens in a new tab.
- Cloud SQL for PostgreSQL overview
Official Google Cloud documentation index for Cloud SQL Postgres.
- Configure public IP
How to enable a public IP and add authorized networks.
- Cloud SQL read replicas
Replica creation and read-routing patterns.
- PostgreSQL CREATE ROLE
Reference for the read-only role used by Chion.
Your credentials are encrypted
All connection credentials are encrypted with AES-256-GCM and stored in an isolated vault. Chion connects with read-only permissions. No INSERT, UPDATE, or DELETE is ever possible. Row-level security policies are honored on every query.
Read the full security modelFrequently asked questions
Common questions about using Chion with Google Cloud SQL for PostgreSQL.
Do I need the Cloud SQL Auth Proxy?
Does Chion support Cloud SQL Private IP?
Which Cloud SQL tiers does Chion work with?
Can I use IAM database authentication?
Does Chion support Private Service Connect?
Can I point Chion at a Cloud SQL read replica?
Other PostgreSQL providers
Chion connects to all major managed PostgreSQL services.
Ready to connect your Google Cloud SQL for PostgreSQL database?
Open Chion, enter your credentials, and start asking questions in plain English.
Start your 7-day trial