New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for --impersonate-service-account #417
Comments
any movement on this? Is it even possible to use impersonation with cloud_sql_proxy? Im not generating static non-expiring keys for my service accounts |
It looks like the SQLAdmin client provides a hook for doing this now: https://pkg.go.dev/google.golang.org/api/option#ImpersonateCredentials |
Is there any updates or status on this? The only way I have been able to impersonate is with gcloud via The support for this is so poor. Can I run |
Bumping up the priority on this. Right now there's not a good built-in way to do this. For people who didn't see the StackOverflow post, a current workaround looks like this:
|
We're presently working on a v2 of the proxy, which will include a new dialer as well. We plan to add support for impersonating an account there (see the tracking issue linked above for progress). |
Are there any updates on whether this might be supported in v2? I couldn't find any reference of it when looking at the tracking issue. Thanks! |
Yes, we will support this in v2. With the new Go Connector this is an easy fix. |
Looking at this again, there's a new API that will return a token source with impersonated credentials. https://pkg.go.dev/google.golang.org/api@v0.94.0/impersonate So in effect, we'd just need to expose some CLI flags to configure that token source and be good. |
Thinking about CLI flags, I think the proxy would only need to expose The proxy knows the necessary |
Bumping the priority up since there's a lot of interest here. |
We'll have this in the next release which we'll cut before next month. |
It would be nice, if Cloud SQL Proxy supports the
--impersonate-service-account
flag similar to the corresponding flag ingcloud
. This would help to use impersonation out-of-the-box instead of long-running and possibly non-personalized service-account credentials.The text was updated successfully, but these errors were encountered: