2

I'm rolling out Hasura on GKE, and I need for it to connect to CloudSQL via IAM.

While most of the tutorials online describe the use of k8s secrets for usernames and passwords, I would like for Hasura to connect via IAM. That means no passwords.

What's the best way to craft the HASURA_GRAPHQL_DATABASE_URL to make that happen?

Tom K
  • 145
  • 1
  • 13

2 Answers2

3

I'd suggest using automatic IAM database authentication, using the Cloud SQL Auth proxy. You can follow the Connect from GKE instructions, and just modify the sidecar command to use the -enable_iam_login instead of a secret for the password.

kurtisvg
  • 3,412
  • 1
  • 8
  • 24
  • i've added the cloud-sql-auth-proxy as a sidecar next to my hasura pod. I've also `-enabled_iam_login` as well. However, it looks like Hasura still requires cloud-instance-creds as secrets for deployment, which I don't want. https://hasura.io/docs/latest/graphql/core/deployment/deployment-guides/google-kubernetes-engine-cloud-sql.html – Tom K Mar 17 '22 at 03:10
  • If you are using [workload identity](https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#workload-identity), you won't need a service account key. For the other credentials, they are used to specify the "POSTGRES_DB_USER" and "POSTGRES_DB_PASSWORD" env vars that Hasaru is using. You'll use the email of the service account for the DB_USER ([described here](https://cloud.google.com/sql/docs/postgres/iam-logins#log_in_with_automatic)) and the DB_PASSWORD can by anything you want, as the proxy will automatically replace it. If HASURA forces you to pick something, you can use " ". – kurtisvg Mar 17 '22 at 15:16
  • You also don't have to use secrets to populate the environment variables: https://cloud.google.com/sql/docs/postgres/iam-logins#log_in_with_automatic – kurtisvg Mar 17 '22 at 15:17
0

So in the end it was postgres' paramspec to the rescue. By crafting the connection string as follows for the HASURA_GRAPHQL_DATABASE_URL:

postgres://localhost:5432/mydatabase?user=my-service-account@gcp-project.iam

I was able connect successfully, with workload-identity and a sidecar with cloudsql-proxy as @kurtisvg suggested

Tom K
  • 145
  • 1
  • 13