'GCP CloudSQL, IAM and Hasura

I'm rolling out Hasura on GKE, and I need for it to connect to CloudSQL via IAM.

While most of the tutorials online describe the use of k8s secrets for usernames and passwords, I would like for Hasura to connect via IAM. That means no passwords.

What's the best way to craft the HASURA_GRAPHQL_DATABASE_URL to make that happen?

google-kubernetes-enginegoogle-cloud-sqlhasura


Solution 1:[1]

So in the end it was postgres' paramspec to the rescue. By crafting the connection string as follows for the HASURA_GRAPHQL_DATABASE_URL:

postgres://localhost:5432/[email protected]

I was able connect successfully, with workload-identity and a sidecar with cloudsql-proxy as @kurtisvg suggested

Solution 2:[2]

I'd suggest using automatic IAM database authentication, using the Cloud SQL Auth proxy. You can follow the Connect from GKE instructions, and just modify the sidecar command to use the -enable_iam_login instead of a secret for the password.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Tom K
Solution 2 kurtisvg

Related Questions

how to keep GKE cluster nodes in different regions?

Deploying a Keycloak HA cluster to kubernetes | Pods are not discovering each other

Volume not persistent in Google Cloud

Kubernetes cluster default timezone?

Kubernetes: Exclude Node from default scheduling

Issuing certificate as Secret does not exist

GKE metrics comparsion

kubectl exec/logs on GKE returns "remote error: tls: internal error"

cert-manager HTTP01 certificate challenge is inaccessible when rewrite-target is enabled

Why a pod can't connect to on-premise network

How to create more than one cluster in minikube

How do I get logs from all pods of a Kubernetes replication controller?

`docker-credential-gcloud` not in system PATH

How to deploy container using docker-compose to google cloud?

How to ensure every kubernetes node running 2 or more pods?