Skip to content

Commit ec63ee6

Browse files
kgala2kgala2
authored
chore: add service account impersonation example to README (#2435)
1 parent bd6edfa commit ec63ee6

File tree

1 file changed

+34
-1
lines changed

1 file changed

+34
-1
lines changed

README.md

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ The Cloud SQL Auth Proxy has support for:
2222
- [Automatic IAM Authentication][iam-auth] (Postgres and MySQL only)
2323
- Metrics ([Cloud Monitoring][], [Cloud Trace][], and [Prometheus][])
2424
- [HTTP Healthchecks][health-check-example]
25-
- Service account impersonation
25+
- [Service account impersonation](#configuring-service-account-impersonation)
2626
- Separate Dialer functionality released as the [Cloud SQL Go Connector][go connector]
2727
- Configuration with [environment variables](#config-environment-variables)
2828
- Fully POSIX-compliant flags
@@ -343,6 +343,7 @@ query param:
343343
> ./cloud-sql-proxy --unix-socket C:\cloudsql myproject:my-region:mysql
344344
> ```
345345

346+
346347
### Configuring IAM Database Authentication
347348

348349
The Proxy supports [Automatic IAM Database Authentication][iam-auth] for MySQL
@@ -381,6 +382,38 @@ and to [add your IAM principal as a database user][iam-auth-user].
381382
> * For a service account, this is the service account's email address without
382383
> the `@project-id.iam.gserviceaccount.com` suffix.
383384
385+
386+
### Configuring Service Account Impersonation
387+
388+
The Proxy supports [service account impersonation](https://cloud.google.com/iam/docs/impersonating-service-accounts).
389+
This allows the Proxy to act as a different service account, which can be useful
390+
for granting access to resources that are not accessible to the default IAM
391+
principal.
392+
393+
To use service account impersonation, you must have the
394+
`iam.serviceAccounts.getAccessToken` permission on the IAM principal
395+
impersonating another service account. You can grant this permission by assigning
396+
the `roles/iam.serviceAccountTokenCreator` role to the IAM principal.
397+
398+
To impersonate a service account, use the `--impersonate-service-account` flag:
399+
400+
> [!NOTE]
401+
>
402+
> The impersonated service account must have the `Service Usage Consumer` and
403+
`Cloud SQL Client` permissions.
404+
> Additionally, to use IAM Authenticated users, add the `Cloud SQL Instance User`
405+
permission.
406+
407+
408+
```shell
409+
# Starts a listener on localhost:5432 and impersonates the service account
410+
# "[email protected]".
411+
# The Proxy will use the credentials of the principal running the Proxy to
412+
# generate a short-lived access token for the impersonated service account.
413+
./cloud-sql-proxy --impersonate-service-account \
414+
[email protected] <INSTANCE_CONNECTION_NAME>
415+
```
416+
384417
### Configuring DNS domain names to identify instances
385418
386419
The Proxy can be configured to use DNS to look up an instance. This would

0 commit comments

Comments
 (0)