Início / server / Perguntas / 1141846
Accepted
x-yuri
Asked: 2023-08-18 10:06:39 +0800 CST

A senha é necessária ao conectar-se por meio do Cloud SQL Auth Proxy?

  • 772

Parece que é necessário, porque me pede a senha. Mas se sim, então qual é o sentido de ter 2 credenciais (um arquivo de credenciais + senha)?

Se não, então o que estou perdendo?

Os documentos não são muito reveladores sobre isso:

Se solicitado, digite a senha.

Para testá-lo na máquina local eu fiz:

docker-compose.yml:

services:
  app:
    build: .
    command: sleep infinity
    init: true
    volumes:
      - .:/app
    depends_on:
      - proxy

  proxy:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
    command:
      --address 0.0.0.0
      --credentials-file /credentials.json
      --debug
      myprj:europe-central2:db
    volumes:
      - ./credentials.json:/credentials.json

Dockerfile:

FROM google/cloud-sdk:435.0.1-alpine
RUN apk add terraform postgresql15-client
WORKDIR /app

main.tf:

provider "google" {
  project = "myprj"
}

resource "google_sql_database_instance" "test-auth" {
  deletion_protection = false
  name = "db"
  region = "europe-central2"
  database_version = "POSTGRES_11"
  settings {
    tier = "db-f1-micro"
  }
}

resource "google_sql_user" "test-auth" {
  name = "postgres"
  instance = google_sql_database_instance.test-auth.name
  password = 123456
}

resource "google_service_account" "test-auth" {
  account_id = "dbaccount"
}

resource "google_project_iam_member" "test-auth" {
  project = "myprj"
  role    = "roles/cloudsql.client"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

$ gcloud auth application-default login
$ terraform init
$ terraform apply
// create the service account key, copy to ./credentials.json, restart the container
$ psql -h proxy -U postgres
google-cloud-platform

1 respostas

  1. Best Answer

    O que estava faltando é:

    Também:

    • o postgresusuário não pode ser usado para autenticação do banco de dados IAM porque o nome de usuário do banco de dados deve corresponder ao nome da conta de serviço

    Tudo isso resulta em:

    docker-compose.yml:

    services:
  app:
    build: .
    command: sleep infinity
    init: true
    volumes:
      - .:/app
    depends_on:
      - proxy

  proxy:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
    command:
      --address 0.0.0.0
      --credentials-file /credentials.json
      --auto-iam-authn
      myprj:europe-central2:db
    volumes:
      - ./credentials.json:/credentials.json

    Dockerfile:

    FROM google/cloud-sdk:435.0.1-alpine
RUN apk add terraform postgresql15-client
WORKDIR /app

    main.tf:

    provider "google" {
  project = "myprj"
}

resource "google_sql_database_instance" "test-auth" {
  deletion_protection = false
  name = "mydb"
  region = "europe-central2"
  database_version = "POSTGRES_11"
  settings {
    tier = "db-f1-micro"
    database_flags {
      name = "cloudsql.iam_authentication"
      value = "on"
    }
  }
}

resource "google_sql_user" "test-auth-built-in" {
  name = "postgres"
  instance = google_sql_database_instance.test-auth.name
  password = 123456
}

resource "google_service_account" "test-auth" {
  account_id = "myaccount"
}

resource "google_project_iam_member" "test-auth" {
  project = "myprj"
  role    = "roles/cloudsql.client"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

resource "google_project_iam_member" "test-auth-instance-user" {
  project = "myprj"
  role    = "roles/cloudsql.instanceUser"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

resource "google_sql_user" "test-auth-iam" {
  name = "[email protected]"
  instance = google_sql_database_instance.test-auth.name
  type = "CLOUD_IAM_SERVICE_ACCOUNT"
}

    $ gcloud auth application-default login
$ terraform init
$ terraform apply
// create the service account key, copy to ./credentials.json, restart the container
$ psql -h proxy -U [email protected] postgres
    • 0

relate perguntas