Does AlloyDB support authenticating to Postgres databases with IAM service accounts like Cloud SQL does?

Question

I'm really confused about how IAM login works with AlloyDB. I don't see anything in the docs about mapping postgres users to IAM service accounts.

With Cloud SQL Postgres I can do this: https://cloud.google.com/sql/docs/postgres/authentication

1. I create a service account
2. Create a cloud sql user of type CLOUD_IAM_SERVICE_ACCOUNT, (gcloud sql users create <GSA> --type=CLOUD_IAM_SERVICE_ACCOUNT)
3. Log in to postgres and give that postgres user access to only its own database.

Applications auth to their own postgres DB through their IAM service account (via the proxy) and cannot access other DBs on the postgres server.

How do I do this with AlloyDB?

Looking at the docs I see some mention of CLOUD_IAM_USER https://cloud.google.com/alloydb/docs/database-users/about#view-list

But I cannot see how to create AlloyDB users via the API:

Does the sql users API also support AlloyDB? With Cloud SQL I can create IAM service account users via the Cloud SQL API.

Answer 1

Manual IAM authentication is now available.

https://cloud.google.com/alloydb/docs/manage-iam-authn

Automatic IAM Authentication (where the AlloyDB Proxy handles the OAuth2 token for you) isn't available yet, though.

Answer 2

Not yet, no. But it's coming. No promises on dates of course, but it's in active dev.

Answer 3

Successfully connected interactively using my IAM credentials to a database in an AlloyDB PostgreSQL instance using both a service account and my Google IAM account.

Helps me to think of connection on two levels. First is using alloydb-auth-proxy to connect to the AlloyDB instance. This works for me using a GCE service account with appropriate roles defined. Basically port 5432 is opened for a PostgreSQL client. The second level is connecting via a PostgreSQL client like psql to a specific database like 'postgres'.

The gcloud alloydb users create [email protected] --type=IAM_BASED creates an IAM user. There is a database flag, "alloydb.iam_authentication" = "on" that needs to be applied. I think that is it for configuration.

Then each time I want to connect as myself, 1) gcloud auth login --update-adc; 2)open an gcloud ssh --iap-tunnel to the alloydb-auth-proxy and then 3) login to the database with:

PGPASSWORD=$(gcloud auth print-access-token) psql --host=127.0.0.1 --dbname='postgres' --username="[email protected]"

I just tried where the service account was active using the command above but with the service account IAM username and it worked. The service account has to be added as alloydb user type IAM_BASED and needs "roles/alloydb.databaseUser" and "roles/serviceusage.serviceUsageConsumer".

See https://cloud.google.com/alloydb/docs/manage-iam-authn