1

I'm using maven plugin to deploy to AppEngine. I need to be logged in to gloud to be able to deploy services. I need to be logged in to gcloud to be able to use Cloud SQL Auth Proxy also. Now I don't see any way to set deployer account separately to Cloud SQL Auth Proxy account which means I have to use the same account which has broad privileges starting from deployment and ending with 'Cloud SQL Connector/Instance User'. Is it a design flaw? Did I miss something?

Desired state:

  1. Manually scaled service in AppEngine Flex (basically a singleton, legacy monolith app)
  2. Cloud SQL PostgreSQL instance
  3. Separate service account for deployment with .json key
  4. Separate service account (IAM) for Cloud SQL Auth Proxy with .json key

UPDATE.

Temporarily solved by this config:

spring-context.xml

<beans profile="appengine">
    <bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
        <property name="poolName" value="springHikariCP" />
        <property name="connectionTestQuery" value="SELECT 1" />
        <property name="driverClassName" value="org.postgresql.Driver" />
        <property name="connectionTimeout" value="600000"/>
        <property name="jdbcUrl" value="${db.url}" />
        <property name="username" value="${db.username}"/>
        <property name="password" value="${db.password}"/>
        <property name="dataSourceProperties">
            <props>
                <prop key="sslmode">disable</prop>
            </props>
        </property>
    </bean>

app.yaml

env_variables:
  JAVA_OPTS: >-
    -Ddb.username=postgres -Ddb.password=postgres-password
    -Ddb.url=jdbc:postgresql://127.0.0.1:3306/dbname?cloudSqlInstance=project:location:instance&socketFactory=com.google.cloud.sql.postgres.SocketFactory

beta_settings:
  #tcp sockets:
  cloud_sql_instances: project:location:instance=tcp:3306
nnl
  • 11
  • 3

1 Answers1

2

I think a few things are being confused here, the account used to deploy the service vs. the account that the service is deployed with. These are two different things.

The account logged into gcloud and used to deploy your app engine service (i.e. the account with the permissions to run gcloud app deploy) does not have to be the same as the one that has the permissions to connect to Cloud SQL.

However, service account that is deployed with and used by App Engine (app engine default service account or custom service account) will and should be the same service account to authenticate to your Cloud SQL instance .

You can scope down the permissions used by App Engine by providing a custom service account over using the App Engine Default service account to only those that are required by your application. That way you can grant the Cloud SQL Client and Cloud SQL Instance User roles on top of it and not have the broad Editor permissions.

For more details see: Connect Cloud SQL from App Engine Flex

Jack Wotherspoon
  • 1,131
  • 3
  • 13
  • Thanks for your reply. This is exactly what I'm asking for — how to define the service account that is deployed with the app? The maven has an option to either define 'cloudSdkHome' (which is a way to define deployer account) and/or GOOGLE_APPLICATION_CREDENTIALS env variable which also defines deployer account but also defines the 'deployed with account'. – nnl May 20 '22 at 22:16