Can I restrict access to a Google Cloud SQL instance to specific service account?

Asked 28/9, 2017 at 15:43 Answered 25/8, 2021 at 14:55

Solved google-compute-engine google-cloud-sql google-cloud-iam

I have multiple environments in Google Compute Engine (dev, staging, and production), each with its own Google Cloud SQL instance. The instances connect via Cloud SQL Proxy and authenticate with a credential file that is tied to a service account. I want to have a separate service account for each environment, which would be restricted to accessing the SQL instance specific to that environment. Currently, it appears that any service account with role Cloud SQL Client can access any Cloud SQL instance within the same project.

I cannot find any way to restrict access on a Cloud SQL Instance to a specific service account. Is it possible, and if so, how? If not, is there a different way to achieve the goal of preventing a server in one environment from accessing a Cloud SQL instance in another environment?

NOTE: this configuration is possible with Google Cloud Storage; one can assign a specific service account to have various permissions on each bucket, so that the dev service account cannot accidentally access Production files.

Varied answered 28/9, 2017 at 15:43 Comment(0)

As of the August 2021 release of Google Cloud SQL:

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances

See the documentation for IAM Conditions for information about how to restrict a user or service account to specific Cloud SQL instances.

Varied answered 25/8, 2021 at 14:55 Comment(0)

Unfortunately, Cloud SQL currently does not support instance level IAM policies.

The only workaround is hosting the instances in different projects.

Serous answered 28/9, 2017 at 16:23 Comment(5)

Thank you. Managing multiple projects for the same application seems like it might introduce other problems. Is there a way to request instance-level IAM polices for Cloud SQL? – Varied 28/9, 2017 at 17:44

You can submit feature requests on the Cloud SQL issue tracker: cloud.google.com/support/docs/issue-trackers – Serous 28/9, 2017 at 19:18

Does anyone know if this is still the case? – Likelihood 15/1, 2020 at 20:16

@Likelihood you can follow the status here issuetracker.google.com/issues/68765990 – Earpiece 19/5, 2020 at 0:5

I originally accepted this answer, but with the latest release of Google Cloud SQL, you can use conditional IAM to restrict access, as described in the new accepted answer. – Varied 25/8, 2021 at 14:56

As of the August 2021 release of Google Cloud SQL:

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances

See the documentation for IAM Conditions for information about how to restrict a user or service account to specific Cloud SQL instances.

Varied answered 25/8, 2021 at 14:55 Comment(0)

Recommended topics

Hot tags