This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

IAM conditional access to specific SQL instance

Posted on 12-02-2024 06:57 AM
karayb
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm trying to configure conditional IAM access to a specific Postgres SQL instance.

I start with giving the user the "Cloud SQL Viewer" role without condition, so that they can see the available resources.
Additionally I assign the "Cloud SQL Studio User" role, because it has the cloudsql.instances.executeSql permission. This works fine so far.

Now I start adding conditional rules in IAM, following these instructions: https://cloud.google.com/sql/docs/postgres/iam-conditions#console_1 , resulting in this expression for the condition:

 

 

"expression": "resource.name == \"projects/my-project/instances/my-instance\""

 

 

This doesn't work.
I start to loosen the condition and shorten the resource name parameter until it finally starts working with:

 

"expression": "resource.name.startsWith(\"projects/my-project\")"

 

It stops working as soon as I add even a slash after the project id:

 

"expression": "resource.name.startsWith(\"projects/my-project/\")"

 

This is how the resource path looks:

 

$ gcloud sql instances describe --project=my-project my-instance | grep selfLink
selfLink: https://sqladmin.googleapis.com/sql/v1beta4/projects/my-project/instances/my-instance

 

I have also tried with "endsWith" and "my-instance" to no avail.

How do I address the instance correctly with the resource name?

Our hierarchy is Org -> Folder -> Projects.
The project name equals the project id (output anonymised):

 

$ gcloud projects describe my-project
createTime: '2016-12-12T00:00:00.000Z'
lifecycleState: ACTIVE
name: my-project
parent:
  id: '717171717171'
  type: folder
projectId: my-project
projectNumber: '818181818181'

 

0 4 304
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
nimh
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

This works for me; 

"resource.name.startsWith('projects/project_id/instances/myInstanceName')"

0 Likes

Posted on --/--/---- --:-- AM
karayb
Bronze 1
Bronze 1
In response to nimh
Reply posted on --/--/---- --:-- AM

Thanks for confirming that it should work. I wished it would work for us as well, but I can't add anything after my project name.

I can even use only part of the project id, like

"resource.name.startsWith('projects/proje')"

and that works. But as soon as I add a "/" after the full project id it stops working for us.

0 Likes

Posted on --/--/---- --:-- AM
El_ods
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi

did you resolve this issue?

0 Likes

Posted on --/--/---- --:-- AM
karayb
Bronze 1
Bronze 1
In response to El_ods
Reply posted on --/--/---- --:-- AM

Unfortunately not.

Did you run into the same issue?

0 Likes
Top Solution Authors
View all