Automatic IAM Authentication #345
Comments
withnale
added
the
type: feature request
|
Hi @withnale! Thanks for raising a feature request on the AlloyDB Auth Proxy 😄 Yes, now that the AlloyDB Users API has launched into GA we should be able to at the very least start scoping out the work to add Automatic IAM database AuthN to the proxy. AlloyDB IAM AuthN is still in Public Preview, it should be going GA later this quarter, we will probably want to wait until then before we integrate the feature into the proxy in case of any API or design changes. We will provide updates on this bug and use it to track progress towards the feature. Thanks for raising this feature request, have a great day! 😄 |
jackwotherspoon
added
the
priority: p1
|
Quick clarification -- that's the REST API which is available right now, but currently Auto IAM AuthN isn't available. We can't comment on the roadmap, but will update here if there's any change to all that. |
|
On June 27th, it looks like the remaining backend functionality was enabled. "IAM authentication for AlloyDB is available in Preview. You can add a role to Identity and Access Management (IAM) user or service accounts that lets them log into AlloyDB instances as database users." |
|
Technically, that's manual IAM authentication. That means the caller has to provide the OAuth2 token as a password. That works fine for one-off connections, but when using connection pools, that works less well (e.g., the token expires after an hour and so the connection pool can't reconnect). In Cloud SQL, the Auto IAM AuthN feature is provided by the Proxy where it refreshes the OAuth2 token and provides it to the backend server. We don't have that yet here, but will update this thread when we have any news. |
|
I guess I need to look at the cloudsql-proxy implementation. I had assumed that the proxy was just maintaining the necessary valid token (like the manual flow) and replacing it into the conversations to cloudsql. |
|
Yes, that's effectively correct. But the mechanism for transporting the token to the backend server uses the ephemeral certificate in Cloud SQL. Presently, there's no much mechanism for AlloyDB, but again, I'll update here when that changes. ;-) |
|
I understand that IAM authentication for AlloyDB is now in preview, is this unblocked from being able to be supported now? (Source: https://cloud.google.com/alloydb/docs/manage-iam-authn) |
|
@adamstrawson Yes it is now unblocked, the team is currently working on the change to support automatic IAM authentication. The work is being done with PR #423 |
|
@adamstrawson FWIW you can do the equivalent of Auto IAM Authentication on the direct path with either database/sql or pgx. If there's interest, I can show you how here. |
|
@enocom , I would greatly appreciate seeing your example implementation |
|
Here are some examples:
Lastly FWIW we're just about to ship this feature in the Go Connector and Proxy. |
|
This is available now in v1.5.0 -- just pass the |
Feature Description
With the cloudsql-proxy the option exists for an automated IAM authenticated login when setting the auto-iam-authn command line option. (see https://github.com/GoogleCloudPlatform/cloud-sql-proxy)
With the most recent version of gcloud-cli it is possible now to create an IAM user using...
Would it now be possible to build in the automated IAM login logic, which I assume should be very similar to the implementation in cloudsql-proxy?
Sample code
No response
Alternatives Considered
No response
Additional Details
No response
The text was updated successfully, but these errors were encountered: