This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

App Engine -> IAM -> Cloud SQL

Posted on 08-25-2022 03:42 AM
Ruven
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I have a Cloud SQL Postgres database running with a private IP on a VPC. I have an App Engine Node.js 16 standard environment service running with Serverless VPC Access. I have added the IAM service account of the App Engine as a user to the database. I have created the database that I want to use. My App Engine service is able to reach the database but it's not able to authenticate.

It's unclear to me how I should authenticate the service to the database.

Do I have to present credentials (username, password)? Which credentials should I then present for an IAM service account? Do I use the auth proxy? But how do I make that work with App Engine? Did I miss some configuration?

Thanks in advance.

0 3 452
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ErnestoC
Staff
Reply posted on --/--/---- --:-- AM

Since for a private instance the connection would happen over TCP within the VPC, the authentication details would only be the username and password of the database. You would connect directly to the host’s IP and port. Here is a snippet of the code to establish a private connection from a Nodejs App Engine app:

const createTcpPool = async config => {

  const dbConfig = {

    client: 'pg',
    connection: {
      host: process.env.INSTANCE_HOST, // e.g. '127.0.0.1'
      port: process.env.DB_PORT, // e.g. '5432'
      user: process.env.DB_USER, // e.g. 'my-user'
      password: process.env.DB_PASS, // e.g. 'my-user-password'
      database: process.env.DB_NAME, // e.g. 'my-database'
    },
    // ... Specify additional properties here.
    ...config,
  };

  // Establish a connection to the database.
  return Knex(dbConfig);
};

The complete code can be found in this guide.

0 Likes

Posted on --/--/---- --:-- AM
Ruven
Bronze 1
Bronze 1
In response to ErnestoC
Reply posted on --/--/---- --:-- AM

Hello,

Thank you for your time. Like I mentioned in my post I don't know which credentials to present for an IAM service account. I don't have a password for the App Engine service account. I am under the impression that the credentials get injected if you use the SQL auth proxy but I don't know how to run it with App Engine (not locally, in the cloud to be clear). If I do have to present the credentials as shown in your example then I don't know which password I should present. Also, that would force me to manage the password again and then I'm not really sure what the added benefit of service accounts is. It's not additional security then or am I missing something?

0 Likes

Posted on --/--/---- --:-- AM
ErnestoC
Staff
In response to Ruven
Reply posted on --/--/---- --:-- AM

 

@Ruven wrote:

If I do have to present the credentials as shown in your example then I don't know which password I should present

The credentials shown in the snippet are user credentials used to authenticate to the database itself (since you would be connecting to a database in the same network). These credentials are defined when creating a Cloud SQL instance.

Authenticating purely with IAM is not completely supported with Node.js. For Java, Python, and Go services, you can use one of the available connectors and connect to an instance that has been configured to allow IAM Authentication.

However, you could try using manual IAM authentication which manually generates a token used to authenticate. 

0 Likes