Environment
- Google Cloud Platform (GCP)
- Cloud SQL PostgreSQL instance with private IP only
- Bastion host with private IP only
- Identity-Aware Proxy (IAP) for bastion host access
- DBeaver as SQL client
Problem
I'm trying to connect to a PostgreSQL instance in Google Cloud SQL from my local machine. The database has only a private IP address, so I'm using a bastion host to access it.
Bastion has a systemd service that is using
/usr/local/bin/cloud-sql-proxy --auto-iam-authn --private-ip --address 0.0.0.0 --port 3307 [connection-string]
I've set up IAP TCP forwarding to the bastion host with this command:
gcloud compute start-iap-tunnel [bastion-name] 3307 --local-host-port=localhost:5432 --zone=[zone]
When I try to connect through DBeaver using:
- Host: localhost
- Port: 5432
- Database: db_name
- Username: [email protected]
- Password: (empty)
I receive the following error:
FATAL: Cloud SQL IAM user authentication failed for user "[email protected]"
This setup previously worked when I was using cloud-sql-proxy locally. However, now that cloud-sql-proxy is running on the bastion host, the authentication fails.
Tags
google-cloud-platform google-cloud-sql postgresql iap bastion-host cloud-sql-proxy authentication iam
What I've tried
I've confirmed that my user account has the necessary IAM permissions and has been added to Cloud SQL. The direct connection using cloud-sql-proxy from my local machine worked before, but I need to route through the bastion host now.
What might be causing this authentication failure, and how can I properly configure the connection to maintain IAM authentication while going through the bastion host?
Environment
- Google Cloud Platform (GCP)
- Cloud SQL PostgreSQL instance with private IP only
- Bastion host with private IP only
- Identity-Aware Proxy (IAP) for bastion host access
- DBeaver as SQL client
Problem
I'm trying to connect to a PostgreSQL instance in Google Cloud SQL from my local machine. The database has only a private IP address, so I'm using a bastion host to access it.
Bastion has a systemd service that is using
/usr/local/bin/cloud-sql-proxy --auto-iam-authn --private-ip --address 0.0.0.0 --port 3307 [connection-string]
I've set up IAP TCP forwarding to the bastion host with this command:
gcloud compute start-iap-tunnel [bastion-name] 3307 --local-host-port=localhost:5432 --zone=[zone]
When I try to connect through DBeaver using:
- Host: localhost
- Port: 5432
- Database: db_name
- Username: [email protected]
- Password: (empty)
I receive the following error:
FATAL: Cloud SQL IAM user authentication failed for user "[email protected]"
This setup previously worked when I was using cloud-sql-proxy locally. However, now that cloud-sql-proxy is running on the bastion host, the authentication fails.
Tags
google-cloud-platform google-cloud-sql postgresql iap bastion-host cloud-sql-proxy authentication iam
What I've tried
I've confirmed that my user account has the necessary IAM permissions and has been added to Cloud SQL. The direct connection using cloud-sql-proxy from my local machine worked before, but I need to route through the bastion host now.
What might be causing this authentication failure, and how can I properly configure the connection to maintain IAM authentication while going through the bastion host?
Share Improve this question edited Mar 17 at 13:58 Артём Викторович asked Mar 17 at 13:56 Артём ВикторовичАртём Викторович 11 bronze badge1 Answer
Reset to default 0When you enable IAM Auth, the proxy will use the IAM token from the machine where it is running. When you run the proxy locally, it will use your gcloud auth credentials. However, if you run it on the bastion host, it will use the service account from that host.
We recommend running the Auth Proxy locally, however, mainly for security reasons.