Overview of Cloud SQL (PostgreSQL) authentication

Overview of Cloud SQL (PostgreSQL) authentication.md

Overview of Cloud SQL (PostgreSQL) authentication

There are 2 ways to connect to a Cloud SQL database: directly, or via a connector. 2 types of connectors are supported: standalone (Cloud SQL Auth Proxy), and in-process (Cloud SQL Language Connector, available for Java, Python, Go, and Node.js).

There are also 2 ways to authenticate to a database:

• The PostgreSQL's built-in authentication (password).
• IAM database authentication. In this case you need an IAM service account and a matching PostgreSQL user.

But before you can do that, you need to give yourself access to the database (authorize the connection):

• If you're connecting directly, you need to add the client's IP to authorized networks. In this case you also most likely want to make use of SSL/TLS.

• If you're connecting via a connector, you need to provide it with a service account that has the cloudsql.instances.connect permission. One way to do that is to grant the Cloud SQL Client role (roles/cloudsql.client) to the service account. In this case you don't need to bother with SSL/TLS, the connector handles this for you (encrypts the connection). Additionally, if you're using a standalone connector (Cloud SQL Auth Proxy), the connection between it and a client is not encrypted, as such you most likely want to keep the connector on the same machine.

To use IAM database authentication you need to:

• enable it on the instance
• give the service account the cloudsql.instances.login permission, e.g. by granting the Cloud SQL Instance User role (roles/cloudsql.instanceUser) to it
• start the proxy with the --auto-iam-authn flag (if you use Cloud SQL Auth Proxy)

To use SSL/TLS you need a server certificate (which is created automatically when you create an instance) and client certificates. You're notified when a server certificate expires, but not when a client certificate does. When connecting directly using SSL/TLS is strongly recommended. When using a connector configuring SSL/TLS is not needed.

To view Cloud SQL logs:

$ gcloud logging read "resource.type=cloudsql_database" --project=PROJECT_ID --limit=10

Examples of filter expressions:

• resource.type=cloudsql_database
• logName=projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
• projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
• resource.type=cloudsql_database AND logName=projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log
• resource.type=cloudsql_database AND projects/PROJECT_ID/logs/cloudsql.googleapis.com%2Fpostgres.log

Other useful arguments: --freshness (defaults to 1d), --order (defaults to desc).

Additionally:

• When you create a Cloud SQL instance the postgres user is created with no password. You need to set the password to be able to authenticate.
• You can't have superusers on Cloud SQL.
• Users created with gcloud initially have the same permissions as postgres.
• authorized networks can contain both IP addresses and IP ranges.
• How the proxy works is described here.
• Automatic instance discovery is not recommended in production.
• Where the proxy looks for credentials is described here.
• It seems like PostgreSQL connections used to hang w/o sslmode=disable, which doesn't seem to be an issue these days.
• Using the Cloud SQL Auth Proxy's --port flag reduces startup time.

IAM database authentication + Cloud SQL Auth Proxy (ruby)
IAM database authentication + Cloud SQL Auth Proxy
built-in authentication + SSL/TLS

How to:

• enable public IP
• change authorized networks
• reset authorized networks
• disable public IP
• list db users
• create a user
• change a password
• remove a user
• set cloudsql.iam_authentication
• create a service account
• create a matching db user
• remove the matching db user
• start the proxy under docker
• start the proxy with IAM database authentication
• enforce using the proxy
• get information about the server certificate
• create a client certificate
• get the public key of a client certificate
• delete a client certificate
• reset the SSL/TLS configuration
• enforce using SSL/TLS
• view IAM policy of a project
• grant a role to a principal
• revoke a role from a principal

The docs:

• Cloud SQL IAM database authentication (2 ways to authenticate, automatic and manual IAM database authentication, what's needed: the permission, the role, an IAM principal, a database user, the instance flag)
• Configure new and existing instances for IAM database authentication (how to add the cloudsql.iam_authentication flag)
• About PostgreSQL users and roles (differences between database users and roles, superuser restrictions, default PostgreSQL users, IAM database authentication, creating users)
• Cloud SQL built-in database authentication (2 ways to authenticate)
• Create and manage users (how to change a password, create/remove a user, list users)
• Manage users with IAM authentication (troubleshooting login failures, how to create a matching database user, remove a database user)
• Log in using IAM database authentication (how to start the proxy)
• About access control (levels of access control)
• IAM for Cloud SQL (roles, permissions and conditions)
• Roles and permissions (overview of IAM, what permissions are necessary, viewing and changing the project's policy, best practices)
• Use IAM Conditions (types of attributes, giving access to specific Cloud SQL instances)
• About connection options (ways to authenticate/get authorization, Cloud SQL Language Connectors, Cloud SQL Auth Proxy, self-managed SSL/TLS certificates, authorized networks)
• Configure public IP (troubleshooting, how to assign/deassign a public IP, changing authorized networks)
• Authorize with authorized networks (how to change authorized networks)
• Authorize with SSL/TLS certificates (enforcing SSL/TLS, what files are needed, server certificates, rotation, authorized networks, expiry)
• Configure SSL/TLS certificates (how to enforce SSL/TLS, create/get a server/client certificate)
• Manage SSL/TLS certificates (how to get/delete a client certificate, rotate a server certificate, describe a server certificate, reset SSL/TLS configuration)
• About the Cloud SQL Auth Proxy (benefits of Cloud SQL Auth Proxy, how Cloud SQL Auth Proxy works, requirements, startup options, a service account, required permissions, instance discovery, production environment, enforcing the use of Cloud SQL Auth Proxy)
• Connect using the Cloud SQL Auth Proxy (what it does, where it looks for credentials, troubleshooting, how to download, start, connect with psql, create a service account, enforce the use of Cloud SQL Auth Proxy, multiple instances)
• Connect using a psql client (how to change authorized networks, connect w/ and w/o SSL/TLS)
• Cloud SQL permissions
• Cloud SQL roles (which permissions include which roles)
• Cloud SOL Auth Proxy README.md

Logging:

• Debug connection issues / Tools for debugging connectivity / Cloud Logging / View logs
• Troubleshoot / Logging
• View instance logs / View logs
• View instance logs / Troubleshoot

Troubleshooting:

• Troubleshoot (how to view the logs)
• Debug connection issues (connection issues checklist, how to view the logs)
• Manage users with IAM authentication / Troubleshoot a login failure
• Configure public IP / Troubleshoot
• Connect using the Cloud SQL Auth Proxy / Troubleshoot Cloud SQL Auth Proxy connections
• View instance logs (how to view the logs, troubleshooting)
• Cloud SQL for PostgreSQL error messages
• Known issues (sslmode=disabled, or else connections hang)

Quickstarts:

• Connect to Cloud SQL for PostgreSQL using the Cloud SQL Auth Proxy
• Connect to Cloud SQL for PostgreSQL from your local computer
• Using Cloud SQL for PostgreSQL with Rails 5