我尝试使用 使用 IAM 数据库身份验证登录 与服务帐户。但失败了
用户的 Cloud SQL IAM 服务帐户身份验证失败
我完全陷入困境
实例测试验证
并设置标志
databaseFlags:
- name: cloudsql.iam_authentication
value: on
数据库名称:db_hoge
[email protected] 并将其添加为用户。另外,我添加了自己的电子邮件(这是该 GCP 项目的所有者) 看起来添加正确。
$ gcloud sql 用户列表 --instance test-auth
NAME HOST TYPE PASSWORD_POLICY
postgres CLOUD_IAM_USER
[email protected] CLOUD_IAM_USER
[email protected] CLOUD_IAM_SERVICE_ACCOUNT
$ ./cloud_sql_proxy-版本
Cloud SQL Auth proxy: 1.31.0+linux.amd64
$ ./cloud_sql_proxy -enable_iam_login -instances=myproject:asia-northeast1:test-auth=tcp:127.0.0.1:5432
psql“sslmode=禁用dbname=db_hoge主机=127.0.0.1用户[email protected]”
psql: error: FATAL: Cloud SQL IAM service account authentication failed for user "[email protected]"
psql“sslmode =禁用dbname = db_hoge主机= 127.0.0.1用户= [email protected]”
psql (12.11 (Ubuntu 12.11-0ubuntu0.20.04.1), server 14.2)
WARNING: psql major version 12, server major version 14.
Some psql features might not work.
Type "help" for help.
db_hoge=>
我真诚地请求某人的好心帮助。
提前谢谢您
按照建议,我部署了用于在 GKE 上测试连接的应用程序
但是现在,我收到错误“致命:客户端返回空密码”。 当使用 IAM 数据库身份验证时,我们不需要该用户的密码。
我不知道这是因为 App、GKE、IAM 或 CloudSQL。
使用 sidecar,我运行了 cloudSQL 代理。并且该 pod 的服务帐户已绑定 google-service-account,该帐户具有 CloudSQL 实例用户和 CloudSQL 客户端。
app.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
selector:
matchLabels:
run: web
template:
metadata:
labels:
run: web
spec:
containers:
- image: cloudproxy-test:1.0.0
imagePullPolicy: Always
name: web
ports:
- containerPort: 8080
protocol: TCP
- command:
- /cloud_sql_proxy
- -enable_iam_login
- -instances=my-project:asia-northeast1:test-auth=tcp:5432
image: gcr.io/cloudsql-docker/gce-proxy:1.25.0
name: cloudsql-proxy
serviceAccountName: ksa-workload-identity-binded
---
我用 go 制作了应用程序。对于 postgreSQL,使用 dialers/postgres 模块。
package main
import (
"context"
"database/sql"
"fmt"
"log"
"net/http"
"github.com/gin-gonic/gin"
_ "github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/dialers/postgres"
)
func main() {
engine := gin.Default()
engine.GET("/", func(c *gin.Context) {
ctx := context.Background()
if err := showRecords(ctx, "my-project:asia-northeast1:test-auth", "db_hoge", "[email protected]"); err != nil {
log.Fatal(err)
}
c.JSON(http.StatusOK, gin.H{
"How": "itwork",
})
})
engine.Run(":8080")
}
func showRecords(ctx context.Context, dbAddress, dbName, dbUser string) error {
dsn := fmt.Sprintf("host=%s user=%s dbname=%s sslmode=disable", dbAddress, dbUser, dbName)
fmt.Println(dsn)
db, err := sql.Open("cloudsqlpostgres", dsn)
if err != nil {
log.Fatal(err)
return err
}
defer db.Close()
return nil
}
当我使用默认用户
postgres
和密码并从 sidecar 命令中删除 -enable_iam_login 选项时,我可以连接数据库。
所以应用程序本身似乎没有错误。
我知道有两种情况你会收到此消息:
您没有在 Cloud SQL 实例上启用 IAM 数据库身份验证。
$ docker compose exec app psql -h proxy -U myaccount@PROJECT_ID.iam postgres
psql: error: connection to server at "proxy" (172.20.0.2), port 5432 failed: FATAL: Cloud SQL IAM service account authentication failed for user "myaccount@PROJECT_ID.iam"
$ gcloud logging read "resource.type=cloudsql_database" --project=PROJECT_ID --limit=10
---
...
textPayload: |-
2023-08-31 23:34:40.377 UTC [1182]: [2-1] db=postgres,user=myaccount@PROJECT_ID.iam DETAIL: Cloud SQL IAM authentication not enabled
Connection matched pg_hba.conf line 21: "local all +cloudsqliamserviceaccount cloudsql-iam-svc-acct"
---
...
textPayload: '2023-08-31 23:34:40.377 UTC [1182]: [1-1] db=postgres,user=myaccount@PROJECT_ID.iam
FATAL: Cloud SQL IAM service account authentication failed for user "myaccount@PROJECT_ID.iam"'
timestamp: '2023-08-31T23:34:40.377967Z'
---
...
您没有向服务帐户授予 Cloud SQL 实例用户 (
roles/cloudsql.instanceUser
) 角色。
$ docker compose exec app psql -h proxy -U myaccount@PROJECT_ID.iam postgres
psql: error: connection to server at "proxy" (172.20.0.2), port 5432 failed: FATAL: Cloud SQL IAM service account authentication failed for user "myaccount@PROJECT_ID.iam"
$ gcloud logging read "resource.type=cloudsql_database" --project=PROJECT_ID --limit=10
---
...
textPayload: |-
2023-08-31 23:38:34.595 UTC [1279]: [2-1] db=postgres,user=myaccount@PROJECT_ID.iam DETAIL: Not authorized to access resource. Possibly missing permission cloudsql.instances.login on resource projects/PROJECT_ID/instances/myinstance.
Connection matched pg_hba.conf line 21: "local all +cloudsqliamserviceaccount cloudsql-iam-svc-acct"
---
...
textPayload: '2023-08-31 23:38:34.595 UTC [1279]: [1-1] db=postgres,user=myaccount@PROJECT_ID.iam
FATAL: Cloud SQL IAM service account authentication failed for user "myaccount@PROJECT_ID.iam"'
---
...
考虑到这一点,您收到该消息很奇怪,因为您似乎启用了 IAM 身份验证并授予了该角色。但也许你终究没有授予这个角色。查看日志 (
gcloud logging
) 以找出导致问题的原因。
您可能还想查看我如何配置身份验证,以及此Cloud SQL 身份验证概述。