主页 / server / 问题 / 1141846
Accepted
x-yuri
Asked: 2023-08-18 10:06:39 +0800 CST

通过 Cloud SQL Auth 代理连接时是否需要密码?

  • 772

看来这是必要的,因为它要求我输入密码。但如果是这样,那么拥有 2 个凭据(凭据文件 + 密码)有什么意义呢?

如果没有,那我错过了什么?

文档对此并没有透露太多

如果出现提示,请输入密码。

为了从本地机器上测试它,我做了:

docker-compose.yml

services:
  app:
    build: .
    command: sleep infinity
    init: true
    volumes:
      - .:/app
    depends_on:
      - proxy

  proxy:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
    command:
      --address 0.0.0.0
      --credentials-file /credentials.json
      --debug
      myprj:europe-central2:db
    volumes:
      - ./credentials.json:/credentials.json

Dockerfile

FROM google/cloud-sdk:435.0.1-alpine
RUN apk add terraform postgresql15-client
WORKDIR /app

main.tf

provider "google" {
  project = "myprj"
}

resource "google_sql_database_instance" "test-auth" {
  deletion_protection = false
  name = "db"
  region = "europe-central2"
  database_version = "POSTGRES_11"
  settings {
    tier = "db-f1-micro"
  }
}

resource "google_sql_user" "test-auth" {
  name = "postgres"
  instance = google_sql_database_instance.test-auth.name
  password = 123456
}

resource "google_service_account" "test-auth" {
  account_id = "dbaccount"
}

resource "google_project_iam_member" "test-auth" {
  project = "myprj"
  role    = "roles/cloudsql.client"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

$ gcloud auth application-default login
$ terraform init
$ terraform apply
// create the service account key, copy to ./credentials.json, restart the container
$ psql -h proxy -U postgres
google-cloud-platform

1 个回答

  1. Best Answer

    我缺少的是:

    还:

    • postgres用户不能用于 IAM 数据库身份验证,因为数据库用户名必须与服务帐户名称匹配

    这一切的结果是:

    docker-compose.yml

    services:
  app:
    build: .
    command: sleep infinity
    init: true
    volumes:
      - .:/app
    depends_on:
      - proxy

  proxy:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
    command:
      --address 0.0.0.0
      --credentials-file /credentials.json
      --auto-iam-authn
      myprj:europe-central2:db
    volumes:
      - ./credentials.json:/credentials.json

    Dockerfile

    FROM google/cloud-sdk:435.0.1-alpine
RUN apk add terraform postgresql15-client
WORKDIR /app

    main.tf

    provider "google" {
  project = "myprj"
}

resource "google_sql_database_instance" "test-auth" {
  deletion_protection = false
  name = "mydb"
  region = "europe-central2"
  database_version = "POSTGRES_11"
  settings {
    tier = "db-f1-micro"
    database_flags {
      name = "cloudsql.iam_authentication"
      value = "on"
    }
  }
}

resource "google_sql_user" "test-auth-built-in" {
  name = "postgres"
  instance = google_sql_database_instance.test-auth.name
  password = 123456
}

resource "google_service_account" "test-auth" {
  account_id = "myaccount"
}

resource "google_project_iam_member" "test-auth" {
  project = "myprj"
  role    = "roles/cloudsql.client"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

resource "google_project_iam_member" "test-auth-instance-user" {
  project = "myprj"
  role    = "roles/cloudsql.instanceUser"
  member  = "serviceAccount:${google_service_account.test-auth.email}"
}

resource "google_sql_user" "test-auth-iam" {
  name = "[email protected]"
  instance = google_sql_database_instance.test-auth.name
  type = "CLOUD_IAM_SERVICE_ACCOUNT"
}

    $ gcloud auth application-default login
$ terraform init
$ terraform apply
// create the service account key, copy to ./credentials.json, restart the container
$ psql -h proxy -U [email protected] postgres
    • 0

相关问题