Home / server / Questions / 973055
Accepted
yonran
Asked: 2019-06-27 16:43:27 +0800 CST

How to configure Cloud SQL Postgres to require SSL but not client certificates?

  • 772

Is there a way to create a Cloud SQL Postgres instance that Enforces SSL/TLS, but that does not require the use of client certificates? In pg_hba.conf, this would be a line containing hostssl but not clientcert=1.

I have tried Enforcing SSL/TLS (settings.ipConfiguration.requireSsl on the instance, or gcloud sql instances patch [INSTANCE_NAME] --require-ssl) But this option seems pretty useless, because:

  1. According to Managing your client certificates , you can only create “up to 10 client certificates for each instance.” This means that we would have to share the same client certificate/private keys among multiple users or services, so the secret is not truly secret among our employees.
  2. After presenting a client sslkey/sslcert in psql, postgres still asks for a password. This is evidence that the Cloud SQL sslCerts API inserts a clientcert=1 auth-option, as opposed to a cert auth-method, into pg_hba.conf. This means that each client needs both a client cert and a password.
postgresql

1 Answers

  1. Best Answer

    Cloud SQL always requires client SSL certificate when configured with option: Allow only SSL connections. There is also no access to pg_hba.conf file to change auth-method to cert for Cloud SQL.

    As a workaround you can create PostrgreSQL on Compute engine using this Google Cloud Marketplace link, where you will have access to auth-method in pg_hba.conf

    • 0