From aefdf4ea6859064d20fb4eb05d40f9ee5e24ddd4 Mon Sep 17 00:00:00 2001 From: Jim Bishopp Date: Tue, 1 Feb 2022 14:22:10 -0800 Subject: [PATCH] Update docs for GCP Cloud SQL Client Authentication Update docs for #9991. --- .../database-access/guides/mysql-cloudsql.mdx | 9 +++++++- .../guides/postgres-cloudsql.mdx | 21 ++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/docs/pages/database-access/guides/mysql-cloudsql.mdx b/docs/pages/database-access/guides/mysql-cloudsql.mdx index 3d00fbddd7685..bd6de7de377f8 100644 --- a/docs/pages/database-access/guides/mysql-cloudsql.mdx +++ b/docs/pages/database-access/guides/mysql-cloudsql.mdx @@ -26,9 +26,16 @@ Assign it the "Cloud SQL Admin" role: database agent needs to generate one-time user passwords. To further restrict the service account, you can create a role that includes only the following permissions: - ```text + ```ini + # Used to download a list of database users. cloudsql.users.list + # Used to update a user with a one-time password. cloudsql.users.update + # Used to auto-download the instance's root CA certificate. + cloudsql.instances.get + # Used to generate an ephemeral client certificate when the GCP instance + # is configured to "Allow only SSL connections". + cloudsql.sslCerts.createEphemeral ``` diff --git a/docs/pages/database-access/guides/postgres-cloudsql.mdx b/docs/pages/database-access/guides/postgres-cloudsql.mdx index c02cd79887e9c..27d250d811912 100644 --- a/docs/pages/database-access/guides/postgres-cloudsql.mdx +++ b/docs/pages/database-access/guides/postgres-cloudsql.mdx @@ -66,8 +66,14 @@ Teleport Database service with the following IAM roles: - "Service Account Token Creator": will allow Database service to generate IAM auth tokens when connecting to the database as the service account user we created above. -- "Cloud SQL Viewer": will allow Database service to automatically download - your Cloud SQL instance root CA certificate. +- Either "Cloud SQL Viewer" or "Cloud SQL Admin": + - "Cloud SQL Viewer" will allow Database service to automatically download + your Cloud SQL instance root CA certificate, but does not support client + certificate authentication. + - "Cloud SQL Admin": will allow Database service to automatically download + your Cloud SQL instance root CA certificate and generate an + ephemeral client certificate when the GCP instance is configured to + "Allow only SSL connections". If creating a new one, go to the [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) page and create another service account: @@ -79,15 +85,20 @@ Assign it the "Service Account Token Creator" role: ![Grant Service Account Token Creator to Service Account](../../../img/database-access/guides/cloudsql/service-account-db-service-grant@2x.png) - "Service Account Token Creator" and "Cloud SQL Viewer" IAM roles include more - permissions than the database agent needs. To further restrict the service - account, you can create a role that includes only the following permission: + "Service Account Token Creator", "Cloud SQL Viewer", and "Cloud SQL Admin" + IAM roles include more permissions than the database agent needs. To further + restrict the service account, you can create a role that includes only the + following permission: ```ini # Used to generate IAM auth tokens when connecting to a database instance. iam.serviceAccounts.getAccessToken # Used to auto-download the instance's root CA certificate. cloudsql.instances.get + # Used to generate an ephemeral client certificate when the GCP instance + # is configured to "Allow only SSL connections". + cloudsql.sslCerts.createEphemeral ``` + Once created, go to that service account's Keys tab and create a new key: