Support IAM Authentication with Google Cloud SQL #671
Conversation
| return nil, fmt.Errorf("To use IAM auth with Google Cloud SQL, you must specify project ID, region, and instance ID") | ||
| } | ||
| hostOverride = strings.Join([]string{config.GcpProjectID, config.GcpRegion, config.GcpCloudSQLInstanceID}, ":") | ||
| // When using cloud-sql-go-connector, this needs to be set as disable |
There was a problem hiding this comment.
This is a good write-up for why this needs to be disabled.
I can also add the link as a comment too if that helps:
GoogleCloudPlatform/cloud-sql-go-connector#889
keiko713
force-pushed
the
cloud-sql-connector
branch
from
21eea17 to
9430858
Compare
| @@ -55,6 +59,14 @@ func Run(ctx context.Context, wg *sync.WaitGroup, globalCollectionOpts state.Col | |||
| logger.PrintError("Failed to initialize OpenTelemetry tracing provider, disabling exports: %s", err) | |||
| } | |||
| } | |||
|
|
|||
| if cfg.DbUseIamAuth && cfg.SystemType == "google_cloudsql" && driverCleanup == nil { | |||
| driverCleanup, err = pgxv5.RegisterDriver("cloudsql-postgres", cloudsqlconn.WithIAMAuthN()) | |||
There was a problem hiding this comment.
I can't really do defer driverCleanup() here as the cleanup needs to happen at the caller, main.go.
Since there was already a nice shutdown func, I piggybacked it and called driverCleanup() there.
Registering driver needs to happen only one time per the process, therefore it lives here and doing the nil check of driverCleanup.
| @@ -55,6 +59,14 @@ func Run(ctx context.Context, wg *sync.WaitGroup, globalCollectionOpts state.Col | |||
| logger.PrintError("Failed to initialize OpenTelemetry tracing provider, disabling exports: %s", err) | |||
| } | |||
| } | |||
|
|
|||
| if cfg.DbUseIamAuth && cfg.SystemType == "google_cloudsql" && driverCleanup == nil { | |||
There was a problem hiding this comment.
I was initially registering the driver for everyone (as I thought registering won't do any change unless we actually use it), but turned out that it doesn't work and integration tests (aka testing outside of Google Cloud SQL) failed with the following error.
Failed to register cloudsql-postgres driver: failed to create default credentials: credentials: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information
Since there was no problem running this with the GCP VM, I added this condition to only register when it's needed.
For #348, using approach 2: Cloud SQL Connector.
This is on top of bumping Go version PR, as the latest cloud-sql-go-connector library drops the support of 1.21.
This introduce a new config variable
GCP_REGION, as it's needed to make a host name.Here is a docs for how users can use this:
docs PR: pganalyze/pganalyze-docs#305