Connecting to Cloud SQL from Cloud Run via cloud-sql-proxy with IAM login enabled

I would like to connect to a Cloud SQL instance from Cloud Run, using a service account. The connection used to be created within the VPC and we would just provide a connection string with a user and a password to our PostgreSQL client. But now we want the authentication to be managed by Google Cloud IAM, with the service account associated with the Cloud Run service.

On my machine, I can use the enable_iam_login argument to use my own service account. The command to run the Cloud SQL proxy would look like this:

./cloud_sql_proxy -dir=/cloudsql -instances=[PROJECT-ID]:[REGION]:[INSTANCE] \
-enable_iam_login -credential_file=${HOME}/.config/gcloud/application_default_credentials.json

The problem is that I can't seem to find a way to use the IAM authentication method to run the Cloud SQL Proxy from Cloud Run, I can just provide an instance name. Has anyone face this problem before?

Solution 1:

Unfortunately, there isn't a way to configure Cloud Run's use of the Cloud SQL proxy to do this for you.

If you are using Java, Python, or Go, there are language specific connectors you can use from Cloud Run. These all have the option to use IAM DB AuthN as part of them.

Solution 2:

For anyone using NodeJS on Cloud Run :

• you can't enable the -enable_iam_login option in Cloud Run (cf accepted answer), which means you have to use a connector.
• AFAIK, there is no NodeJS connector right now.

Which means you have 2 options :

• write a connector yourself (good luck) or wait for Google to do it
• use built-in database authentication for now.