The documentation About the Cloud SQL Proxy contains a line, “[B]ecause the proxy always connects from a hostname that cannot be accessed except by the proxy, you can create a user account that can be used only by the proxy. The advantage of doing this is that you can specify this account without a password without compromising the security of your instance or your data.”
Is there any practical way of connecting a MySQL client through the Google Cloud Proxy which is authenticated using a Service Account that is only allowed to access a specific MySQL user?
One potential way to restrict access when using the Cloud SQL Proxy is to create a MySQL user account with Cloud SQL Proxy IP address: '[USER_NAME]'@'cloudsqlproxy~[IP_ADDRESS]'
. But this would not work for a service account that runs on multiple cloud VMs. This is basically authentication of the MySQL user by IP address instead of by Service Account.
A second way to restrict a Service Account to a MySQL user might be to use a MySQL user account '[USER_NAME]'@'cloudsqlproxy~%'
and rely on IAM to restrict access. The Service Account running the Cloud SQL Client requires the roles/cloudsql.client
role, which is equivalent to the cloudsql.instances.connect
and cloudsql.instances.get
permissions. Unfortunately, if you grant multiple Service Accounts this role, then it looks like there is no way to restrict them from using each other’s MySQL user.
A third potential way to enable passwordless authentication might be to use client certificates (gcloud sql ssl-certs create [CERT_NAME] client-key.pem --instance [INSTANCE_NAME]
). But client private keys are even harder to manage than passwords, since they are all invalidated at the same time in under 1 year when you refresh the server certificate: “When you refresh your server cerficate, you must also generate new client certificates; the existing client certificates are revoked.” This makes them basically impossible to use in production.
Basically, it seems like the Cloud SQL Proxy does not enable authenticating to a specific MySQL user via an IAM Service Account. Is this correct?
That is correct. The Cloud SQL Proxy doesn't offer any mechanisms for restricting which MySQL users you have access to when you connect using the proxy. Connections made through the proxy are only restricted by whatever IAM roles are assigned to them. The mechanism for restricting which accounts can access which users is to use password protection.