New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Added '-enable_iam_login' flag for IAM db authentication #583
Conversation
58ea1dc
to
dc724da
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm interpreting this correctly, it looks like we're relying on Gcloud to create the oauth2 token for us. Any reason why we can't do something in process, and not limited to having gcloud commands?
@shawnhuang-gg It looks like you are still working on this, but when you are ready for another review please just click the "request review" button to make sure it hits my inbox: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few nits documentation wise, otherwise LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@shawnhuang-gg This is good to go on our end. Once the changes have been rolled out we can trigger the tests and merge. Otherwise we can merge sooner if we have the ability to allow-list the testing project early. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shawnhuang-gg This LGTM on our end. Will follow up via email regarding testing.
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
Co-authored-by: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com>
Co-authored-by: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com>
Co-authored-by: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com>
Change Description
This PR introduces the client side changes needed for utilizing the access token for cloudsql proxy IAM database authentication. The feature is gated by newly introduced flag
--enable_iam_login
. When enabled it includes the access token in thesqladmin.SslCertsCreateEphemeralRequest
and send the request to create a ephemeral cert with access token info in it, which will later be used to perform IAM authentication. The access token has TTL of 1 hour and the ssl cert will be refreshed whenever access token expires or cert expires.