Skip to content

Support for IAM users and MCP together #2465

New issue
New issue
Open
Open
Support for IAM users and MCP together#2465
Assignees
hessjcg
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
@micahjsmith

Description

@micahjsmith
micahjsmith
opened on Jun 25, 2025

Bug Description

I have a Cloud SQL postgres DB with IAM auth enabled and managed connection pooling (MCP). I am unable to authenticate using local psql and local cloud-sql-proxy via passwordless auto IAM auth.

Upon reading the MCP docs carefully (https://cloud.google.com/sql/docs/postgres/managed-connection-pooling) I see:

  • "You must be connected to your instance using a valid username and password. IAM and IAM group users aren't supported when using Managed Connection Pooling."
  • "TCP port 5432: used for direct connections by the Postgres database server. This is the default port number used when directly connecting using psql client."
  • "TCP port 3307: used for the Cloud SQL Auth Proxy only connections by a PgBouncer server. When you use Cloud SQL Auth Proxy to connect to Pgbouncer, this port number is configured with the Cloud SQL Auth Proxy client and can't be changed."

Based on this, I understand that I may be able to directly connect as an IAM user to port 5432, but connections via the proxy via port 3307 will fail. I'm trying to understand why this limitation is in place and if it is possible to remove it. For example, I'd like developers to connect as IAM users via cloud sql proxy port 5432 but have prod workloads connect to port 6432.

Can support for Cloud SQL Proxy + IAM Auth + MCP be added by customizing the server port used or similar?

(Edited issue based on my realization that MCP is the cause of auth issues)

Example code (or command)

No response

Stacktrace



Steps to reproduce?


Debugging steps (on a sandbox instance with public ip)


    

  1. Create an instance
    2. 



gcloud sql instances create my-instance --database-version=POSTGRES_17 --tier db-perf-optimized-N-2 --zone=us-central1-f --root-password=$SUPERUSERPASSWORD --database-flags=cloudsql.iam_authentication=on



    

  1. Start cloud sql proxy and connect to the instance via cloud sql proxy. Confirm that cloud sql proxy is authenticated as myself as the IAM principal ([email protected]) via ADC
    2. 



$ curl https://www.googleapis.com/oauth2/v1/tokeninfo   -H "Content-Type: application/x-www-form-urlencoded"   -d "access_token=$(gcloud auth application-default print-access-token)" | jq .email
"[email protected]"



$ cloud-sql-proxy --auto-iam-authn my-project:us-central1:my-instance



$ psql "postgresql://me%company.com:@127.0.0.1:5432/postgres" -c 'SELECT 1';
 ?column? 
----------
        1
(1 row)



    

  1. 

    Enable MCP via the cloud console
    

    2. 

  2. 

    Connect directly to the instance as the IAM user using manual IAM auth following here
    

    3. 



$ psql "postgresql://me%company.com:$(gcloud sql generate-login-token --application-default-credential)@$INSTANCEIP:5432/postgres" -c "SELECT 1"
 ?column? 
----------
        1
(1 row)



Separately confirm that my identity shows up correctly in postgres after connection via this method



postgres=> \c
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
You are now connected to database "postgres" as user "[email protected]".



    

  1. Restart the proxy. Try again to connect to the instance via the proxy. If I don't provide a password (which I didn't before) I am now prompted. If I add --no-password, now I get an error message that no password is supplied. I observe that the proxy does handle and close a connection.
    2. 



$ psql "postgresql://me%40company.com:@127.0.0.1:5432/postgres" --no-password
psql: error: connection to server at "127.0.0.1", port 5432 failed: fe_sendauth: no password supplied



2025/06/25 19:49:01 [my-project:us-central1:my-instance] Accepted connection from 127.0.0.1:62206
2025/06/25 19:49:01 [my-project:us-central1:my-instance] Now = 2025-06-25T23:49:01Z, Current cert expiration = 2025-06-25T23:49:35Z
2025/06/25 19:49:01 [my-project:us-central1:my-instance] Cert is valid = true
2025/06/25 19:49:01 [my-project:us-central1:my-instance] Dialing $INSTANCEIP:3307
2025/06/25 19:49:01 [my-project:us-central1:my-instance] IO Error on Read or Write: read tcp 172.27.238.40:62207->$INSTANCEIP:3307: use of closed network connection
2025/06/25 19:49:01 [my-project:us-central1:my-instance] client closed the connection



Environment


    

  1. OS type and version: macOS 15.4.1
    2. 

  2. Cloud SQL Proxy version (./cloud-sql-proxy --version): cloud-sql-proxy version 2.17.1+darwin.arm64
    3. 

  3. Proxy invocation command (for example, ./cloud-sql-proxy --port 5432 INSTANCE_CONNECTION_NAME): cloud-sql-proxy --auto-iam-authn my-project:us-central1:my-instance
    4. 



Additional Details


No response
Metadata
Metadata
Assignees
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions