Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add service account impersonation example to Google Cloud docs and README #2340

Open
jackwotherspoon opened this issue Nov 29, 2024 · 0 comments
Open

Add service account impersonation example to Google Cloud docs and README #2340

jackwotherspoon opened this issue Nov 29, 2024 · 0 comments
Assignees
@jackwotherspoon
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: cleanup An internal cleanup or hygiene concern. type: docs Improvement to the documentation for an API.

Comments

@jackwotherspoon
Copy link
Collaborator

Add detailed steps for SA impersonation with Proxy:

Feedback from #2338 :

For the record, these are the key steps I had to take:

  • Cloud SQL instance has flag cloudsql.iam_authentication=ON
  • Cloud SQL user for the SA is created with type IAM (service account)
  • SA has Cloud SQL Client and Cloud SQL Instance User roles on the same project than the Cloud SQL instance
  • Principal impersonating the service account is granted Service Account Token Creator for the service account impersonated (SA acting as a resource and not a member here)

Our help message has an example but we should add a README section and Google Cloud docs section as well.

cloud-sql-proxy/cmd/root.go

Lines 193 to 205 in 9cb444c

Service Account Impersonation
The Proxy supports service account impersonation with the
--impersonate-service-account flag and matches gclouds flag. When enabled,
all API requests are made impersonating the supplied service account. The
IAM principal must have the iam.serviceAccounts.getAccessToken permission or
the role roles/iam.serviceAccounts.serviceAccountTokenCreator.
For example:
./cloud-sql-proxy \
--impersonate-service-account=impersonated@my-project.iam.gserviceaccount.com
my-project:us-central1:my-db-server

@jackwotherspoon jackwotherspoon added priority: p2 Moderately-important priority. Fix may not be included in next release. type: docs Improvement to the documentation for an API. type: cleanup An internal cleanup or hygiene concern. labels Nov 29, 2024
@jackwotherspoon jackwotherspoon self-assigned this Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jackwotherspoon jackwotherspoon

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: cleanup An internal cleanup or hygiene concern. type: docs Improvement to the documentation for an API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jackwotherspoon