diff --git a/jobs/gcp-db-data-masking/Dockerfile b/jobs/gcp-db-data-masking/Dockerfile
new file mode 100644
index 0000000000..8b2de468e8
--- /dev/null
+++ b/jobs/gcp-db-data-masking/Dockerfile
@@ -0,0 +1,13 @@
+FROM google/cloud-sdk:latest
+
+USER root
+
+# Create working directory
+RUN mkdir /opt/app-root && chmod 755 /opt/app-root
+WORKDIR /opt/app-root
+
+COPY jobs/gcp-db-data-masking/ .
+
+EXPOSE 8080
+
+CMD [ "/bin/bash", "run.sh" ]
diff --git a/jobs/gcp-db-data-masking/cloudbuild.yaml b/jobs/gcp-db-data-masking/cloudbuild.yaml
new file mode 100644
index 0000000000..7fcf40705f
--- /dev/null
+++ b/jobs/gcp-db-data-masking/cloudbuild.yaml
@@ -0,0 +1,4 @@
+steps:
+- name: "gcr.io/cloud-builders/docker"
+  args: ["build", "-f", "jobs/gcp-db-data-masking/Dockerfile", "-t", "${_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${_REGISTRY_REPO}/${_IMAGE}:${SHORT_SHA}", "-t", "${_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${_REGISTRY_REPO}/${_IMAGE}:${_TAG}", "."]
+images: ["${_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${_REGISTRY_REPO}/${_IMAGE}:${_TAG}"]
diff --git a/jobs/gcp-db-data-masking/db_mask.sh b/jobs/gcp-db-data-masking/db_mask.sh
new file mode 100644
index 0000000000..43bd871438
--- /dev/null
+++ b/jobs/gcp-db-data-masking/db_mask.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "mask script goes in here"
diff --git a/jobs/gcp-db-data-masking/run.sh b/jobs/gcp-db-data-masking/run.sh
new file mode 100644
index 0000000000..6d7373b73c
--- /dev/null
+++ b/jobs/gcp-db-data-masking/run.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+root_dir="/opt/app-root"
+cd $root_dir
+
+echo "recreating sandbox db"
+gcloud sql instances restart "${DB_NAME}-tools"
+gcloud --quiet sql databases delete $DB_NAME --instance="${DB_NAME}-tools"
+gcloud --quiet sql databases create $DB_NAME --instance="${DB_NAME}-tools"
+gsutil cp "gs://${DB_NAME}-dump-${ENV}/${DB_NAME}.sql.gz" ${DB_NAME}.sql.gz
+
+echo "starting mask script"
+sh db_mask.sh
+echo "loading dump into sandbox db"
+gcloud --quiet sql import sql "${DB_NAME}-tools" "gs://${DB_NAME}-dump-${ENV}/${DB_NAME}.sql.gz" --database=$DB_NAME --user=$DB_USER
+
+touch readonly.sql
+
+echo "writing grants to users ..."
+
+echo "GRANT USAGE ON SCHEMA public TO readonly;" >> readonly.sql
+echo "GRANT SELECT ON ALL TABLES IN SCHEMA public to readonly;" >> readonly.sql
+echo "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;" >> readonly.sql
+
+echo "GRANT USAGE ON SCHEMA public TO auth;" >> readonly.sql
+echo "GRANT SELECT ON ALL TABLES IN SCHEMA public to auth;" >> readonly.sql
+echo "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO auth;" >> readonly.sql
+echo "GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO auth;" >> readonly.sql
+
+echo "applying readonly user changes ..."
+gsutil cp readonly.sql "gs://${DB_NAME}-dump-${ENV}/"
+gcloud --quiet sql import sql "${DB_NAME}-tools" "gs://${DB_NAME}-dump-${ENV}/readonly.sql" --database=$DB_NAME --user=$DB_USER