Closed thomascjohnson closed 2 years ago
As a follow up, I was able to successfully use the built-in postgres
DB type (see here) with the service account as the name and an access token generated via
gcloud auth print-access-token --impersonate-service-account=$SERVICE_ACCOUNT
However, providing the same username and password via the Cloud SQL JDBC Socket Factory did not work. The error message is the same as above.
I've also tried using these instructions to no avail. Any ideas?
So I can't speak for KeyCloak, but one issue with your setup is that you should use either the Cloud SQL Java connector or the Cloud SQL auth proxy - using both is redundant (which is why you aren't seeing any connections to the proxy).
If you use the Java connector, you don't need to run the proxy. I don't see anything wrong with your JDBC url, so my guess is that Keycloak isn't correctly picking up or using the socket factory (based on the logs not showing any initialization for it).
If you use the proxy, you don't need the java connector. But you will need to add the -enable-iam-login
flag to enable it to use IAM DB AuthN. Then you can connect to the proxy just like it's a database without the java-connector.
Kurtis, thank you for your reply! I thought that might be the case, but I was led astray by this line in the root README:
It can not provide a network path to a Cloud SQL instance if one is not already present.
I realize that actually refers to the public Ip/private IP with VPC access, now 🤦♂️.
This helps me reduce my uncertainty, so thanks a lot!
Bug Description
I'm trying to connect a Keycloak instance in a container to a Cloud SQL instance via the Cloud SQL proxy running on the host on 5432. Things work when I provide the username and password for an account on the database, but not when I try to use IAM authentication. Hopefully you can spot an error I'm making! :)
Example code (or command)
Cloud SQL Proxy on Host
Dockerfile
(this is just a simplified test case to allow me to ensure I've got the JDBC connection setup correctly, so excuse the lack of proper certificates, inelegant Dockerfile, etc.)
Docker build
Docker run
As far as I can tell, adding the password property as password=password (as shown here) makes no difference
Stacktrace
While this is going on, there is no sign of an actual connection with the Cloud SQL Proxy. As I said above, the connection works when I specify a user and password for a non-IAM user on the instance, regardless of whether I have
enableIamAuth
set to true or false. I also see no change as a result of settingsslmode=disable
.I am also unsure of whether the
unixSocketPath
will work – I'm having trouble getting a database socket mapped as a volume to work at all with docker, even in simpler cases. Here's a question I wrote on stackoverflow regarding that.How to reproduce
If the above details aren't enough to get this going, let me know and I can provide any other instructions.
Environment
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.5 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
sh-4.4$ java -version openjdk version "11.0.14.1" 2022-02-08 LTS OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)