Add support for IAM Auth for Google CloudSQL DBs #22445
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
vinay-gopalan
changed the title
|
Build Results: |
| @@ -29,6 +35,8 @@ type mySQLConnectionProducer struct { | |||
| MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"` | |||
| Username string `json:"username" mapstructure:"username" structs:"username"` | |||
| Password string `json:"password" mapstructure:"password" structs:"password"` | |||
| AuthType string `json:"auth_type" mapstructure:"auth_type" structs:"auth_type"` | |||
| ServiceAccountJSON string `json:"service_account_json" mapstructure:"service_account_json" structs:"service_account_json"` | |||
There was a problem hiding this comment.
nit: I was going to suggest adding a comment to this field to document that it is only for GCP. But maybe we should consider renaming it instead? I think in Vault-land we usually use GOOGLE_APPLICATION_CREDENTIALS for service account JSON.
There was a problem hiding this comment.
Interesting point! This field was originally named credentials, and was renamed to service_account_json with the same intent of making it GCP specific. I would say service_account_json suffices enough to make it explicit that this is a GCP related field because in the IAM context, I think only GCP uses the term 'service accounts' as far as I know 🤔 (I believe AWS just calls them IAM users). If it is not clear enough I can add in a comment like you suggested!
Here's the original renaming discussion for context: #22445 (comment)
There was a problem hiding this comment.
We're still making use of the GOOGLE_APPLICATION_CREDENTIALS under the hood as the environment variable though, since that is what the gcloud sdk also expects (similar to Vault)
| @@ -29,8 +37,15 @@ type SQLConnectionProducer struct { | |||
| MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"` | |||
| Username string `json:"username" mapstructure:"username" structs:"username"` | |||
| Password string `json:"password" mapstructure:"password" structs:"password"` | |||
| AuthType string `json:"auth_type" mapstructure:"auth_type" structs:"auth_type"` | |||
There was a problem hiding this comment.
Not blocking but we could validate that the given auth_type is one we support and provide an error message indicating misconfiguration. Right now I think it would accept anything as input.
There was a problem hiding this comment.
Added auth type validation with some basic tests in f9c5f7f
This pull requests adds Google Cloud IAM-based auto-authorization capability to the MySQL and PostgreSQL database types.
Specifically, it adds an
auth_type(with supported valuegcp_iam) andcredentialsfield to the database/config request. When set, the database backend will use GCP IAM authorization (supplied either via the environment or via the credentials field), and can understand the GCP location triple in theconnection_urlfield:Example:
Note that MSSQL on GCP doesn't support auto IAM connections, and so isn't supported here.
In technical implementation, the new auth_type field signals the switch into the IAM auth path, which in GCPs case involves using their custom dialer/driver implementation.