cloud-sql-proxy icon indicating copy to clipboard operation
cloud-sql-proxy copied to clipboard
verified publisher icon GoogleCloudPlatform

Support for --impersonate-service-account

Open xanonid opened this issue 5 years ago • 10 comments

It would be nice, if Cloud SQL Proxy supports the --impersonate-service-account flag similar to the corresponding flag in gcloud. This would help to use impersonation out-of-the-box instead of long-running and possibly non-personalized service-account credentials.

xanonid avatar Jul 15 '20 11:07 xanonid

any movement on this? Is it even possible to use impersonation with cloud_sql_proxy? Im not generating static non-expiring keys for my service accounts

red8888 avatar May 04 '21 02:05 red8888

It looks like the SQLAdmin client provides a hook for doing this now: https://pkg.go.dev/google.golang.org/api/option#ImpersonateCredentials

kurtisvg avatar May 04 '21 14:05 kurtisvg

Is there any updates or status on this? The only way I have been able to impersonate is with gcloud via gcloud config set auth/impersonate_service_account <MY_SERVICE_ACCOUNT>

The support for this is so poor. Can I run gcloud auth print-access-token --impersonate-service-account=<MY_SERVICE_ACCOUNT> and set an env var to the access token or something?

red8888 avatar Sep 02 '21 15:09 red8888

Bumping up the priority on this. Right now there's not a good built-in way to do this.

For people who didn't see the StackOverflow post, a current workaround looks like this:

cloud_sql_proxy --instances=<instanceName>=tcp:3306 \
  --token=$(gcloud auth print-access-token --impersonate-service-account=<service account>)

enocom avatar Sep 07 '21 17:09 enocom

We're presently working on a v2 of the proxy, which will include a new dialer as well. We plan to add support for impersonating an account there (see the tracking issue linked above for progress).

enocom avatar Sep 10 '21 17:09 enocom

Are there any updates on whether this might be supported in v2? I couldn't find any reference of it when looking at the tracking issue. Thanks!

JonasHedEng avatar Aug 31 '22 06:08 JonasHedEng

Yes, we will support this in v2. With the new Go Connector this is an easy fix.

enocom avatar Aug 31 '22 14:08 enocom

Looking at this again, there's a new API that will return a token source with impersonated credentials.

https://pkg.go.dev/google.golang.org/[email protected]/impersonate

So in effect, we'd just need to expose some CLI flags to configure that token source and be good.

enocom avatar Aug 31 '22 15:08 enocom

Thinking about CLI flags, I think the proxy would only need to expose TargetPrincipal and Delegates here: https://pkg.go.dev/google.golang.org/[email protected]/impersonate#CredentialsConfig.

The proxy knows the necessary Scopes. Lifetime has a good default. And Subject seems unnecessary for our use case here.

enocom avatar Sep 12 '22 16:09 enocom

Bumping the priority up since there's a lot of interest here.

enocom avatar Sep 12 '22 16:09 enocom

We'll have this in the next release which we'll cut before next month.

enocom avatar Oct 14 '22 19:10 enocom