Skip to content

Commit

Permalink
Update docs for GCP Cloud SQL Client Authentication
Browse files Browse the repository at this point in the history 
Update docs for #9991.
  • Loading branch information
@jimbishopp
jimbishopp committed Feb 2, 2022
1 parent a8a57b1 commit aefdf4e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 6 deletions.
9 changes: 8 additions & 1 deletion docs/pages/database-access/guides/mysql-cloudsql.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,16 @@ Assign it the "Cloud SQL Admin" role:
database agent needs to generate one-time user passwords. To further restrict
the service account, you can create a role that includes only the following
permissions:
```text
```ini
# Used to download a list of database users.
cloudsql.users.list
# Used to update a user with a one-time password.
cloudsql.users.update
# Used to auto-download the instance's root CA certificate.
cloudsql.instances.get
# Used to generate an ephemeral client certificate when the GCP instance
# is configured to "Allow only SSL connections".
cloudsql.sslCerts.createEphemeral
```
</Admonition>

Expand Down
21 changes: 16 additions & 5 deletions docs/pages/database-access/guides/postgres-cloudsql.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,14 @@ Teleport Database service with the following IAM roles:
- "Service Account Token Creator": will allow Database service to generate
IAM auth tokens when connecting to the database as the service account user
we created above.
- "Cloud SQL Viewer": will allow Database service to automatically download
your Cloud SQL instance root CA certificate.
- Either "Cloud SQL Viewer" or "Cloud SQL Admin":
- "Cloud SQL Viewer" will allow Database service to automatically download
your Cloud SQL instance root CA certificate, but does not support client
certificate authentication.
- "Cloud SQL Admin": will allow Database service to automatically download
your Cloud SQL instance root CA certificate and generate an
ephemeral client certificate when the GCP instance is configured to
"Allow only SSL connections".

If creating a new one, go to the [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)
page and create another service account:
Expand All @@ -79,15 +85,20 @@ Assign it the "Service Account Token Creator" role:
![Grant Service Account Token Creator to Service Account](../../../img/database-access/guides/cloudsql/[email protected])

<Admonition type="note" title="Service account permissions">
"Service Account Token Creator" and "Cloud SQL Viewer" IAM roles include more
permissions than the database agent needs. To further restrict the service
account, you can create a role that includes only the following permission:
"Service Account Token Creator", "Cloud SQL Viewer", and "Cloud SQL Admin"
IAM roles include more permissions than the database agent needs. To further
restrict the service account, you can create a role that includes only the
following permission:
```ini
# Used to generate IAM auth tokens when connecting to a database instance.
iam.serviceAccounts.getAccessToken
# Used to auto-download the instance's root CA certificate.
cloudsql.instances.get
# Used to generate an ephemeral client certificate when the GCP instance
# is configured to "Allow only SSL connections".
cloudsql.sslCerts.createEphemeral
```

</Admonition>

Once created, go to that service account's Keys tab and create a new key:
Expand Down

0 comments on commit aefdf4e

Please sign in to comment.