Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I restrict access to a Google Cloud SQL instance to specific service account?

I have multiple environments in Google Compute Engine (dev, staging, and production), each with its own Google Cloud SQL instance. The instances connect via Cloud SQL Proxy and authenticate with a credential file that is tied to a service account. I want to have a separate service account for each environment, which would be restricted to accessing the SQL instance specific to that environment. Currently, it appears that any service account with role Cloud SQL Client can access any Cloud SQL instance within the same project.

I cannot find any way to restrict access on a Cloud SQL Instance to a specific service account. Is it possible, and if so, how? If not, is there a different way to achieve the goal of preventing a server in one environment from accessing a Cloud SQL instance in another environment?

NOTE: this configuration is possible with Google Cloud Storage; one can assign a specific service account to have various permissions on each bucket, so that the dev service account cannot accidentally access Production files.

like image 211
Craig Finch Avatar asked Feb 04 '23 04:02

Craig Finch


2 Answers

Unfortunately, Cloud SQL currently does not support instance level IAM policies.

The only workaround is hosting the instances in different projects.

like image 71
Vadim Avatar answered Apr 28 '23 05:04

Vadim


As of the August 2021 release of Google Cloud SQL:

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances

See the documentation for IAM Conditions for information about how to restrict a user or service account to specific Cloud SQL instances.

like image 29
Craig Finch Avatar answered Apr 28 '23 05:04

Craig Finch