teleport
teleport copied to clipboard
Published
20 hours ago •
gravitational
gravitational
GCP MySQL IAM Auth support
Implements #34334
- #34334
changelog: Added GCP MySQL access IAM Authentication support
WIll do a separate doc update PR.
Manual Testing:
- [x]
tsh db connect -u steve-mysql-iam-auth -n test gcp-mysql - [x]
tsh db connect -u steve-mysql-iam-auth@<project-id>.iam -n test gcp-mysql - [x]
tsh db connect -u steve-mysql-iam-auth@<project-id>.iam.gserviceaccount.com -n test gcp-mysql - [x] Read replica (which doesn't work with password auth as we try to update user)
- [x] No IAM auth permission
- [x] No
cloudsql.users.getpermission
sample error no IAM auth permission
$ tsh db connect -u steve-mysql-iam-auth -n test gcp-mysql
ERROR 1105 (HY000): Could not generate GCP IAM auth token:
rpc error: code = PermissionDenied desc = Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).
error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain = iam.googleapis.com metadata = map[permission:iam.serviceAccounts.getAccessToken]
Make sure Teleport db service has "Service Account Token Creator" GCP IAM role,
or "iam.serviceAccounts.getAccessToken" IAM permission.
sample error no `cloudsql.users.get` permission
$ tsh db connect --db-user steve-mysql-iam-auth -n test gcp-mysql
ERROR 1105 (HY000): Could not update Cloud SQL user "steve-mysql-iam-auth" password:
Invalid request: Error 1396: Operation ALTER USER failed for .
If the db user uses IAM authentication, please use the full service account email
ID as "--db-user", or grant the Teleport Database Service the
"cloudsql.users.get" IAM permission so it can discover the user type.
If the db user uses passwords, make sure Teleport Database Service has "Cloud
SQL Admin" GCP IAM role, or "cloudsql.users.update" IAM permission.
ERROR: exit status 1
