Closed v4runMurthy closed 1 year ago
Hi @v4runMurthy,
Yes, Proxy v2.3.0 does support workload identity federation. We have tested this successfully using all-GCP credentials and services. However, it should work with any supported workload identity configuration, including AWS.
Yes, the proxy does load the the application credentials configuration from the file specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Based on the error message, I suspect that the pod lacks permission to access an AWS metadata service due to some combination of kubernetes roles and AWS IAM policy. I found a similar error and solution from another person trying to set up workload identity on AWS EKS. I suspect that this part of the error: error fetching credentials: forbidden by policy
occurs under these circumstances:
403: forbidden by policy
This is an interesting case. Let us know how you solve it.
@hessjcg thanks for confirming that the cloud-sql-proxy supports WIF with credentials from the path provided to GOOGLE_APPLICATION_CREDENTIALS
environment variable. Your explanation for AWS metadata service not being accessible makes sense as I tried to change the IAM role on the pods and got a different AWS error.
I will check this out and post back what I find, after updating access to the AWS metadata service from the EKS pods
I'm going to close this but if you're still hitting Proxy-related problems, feel free to add more info here and we'll help out.
Question
👋🏼 Hey folks, I could not find a clear explanation for this issue, hence thought this might be the best place to get some clarity on the Cloud SQL proxy setup for Workload Identity Federation(WIF) with AWS.
I have some Kubernetes pods in my AWS project that would like to access my cloud sql instance in GCP. I am using cloud-sql-proxy: 2.3.0 as a sidecar container on my AWS pods. I followed the WIF docs to set up a pool and provider, associated it with a service account that has Cloud SQL Client role assigned to it. The WIF docs mention that the path to the WIF credential configuration file can be passed to the
GOOGLE_APPLICATION_CREDENTIALS
environment variable. I have attached the WIF configuration file to the cloud-sql-proxy container and passed its path in theGOOGLE_APPLICATION_CREDENTIALS
environment variable.However, when I try to connect to a database, I run into the following error where the request to get the access token seems to be failing.
Initially thought this might be due to a wrong WIF configuration or have to do with restriction on AWS, but I was able to spin up an alpine container in the same pod and generate the access token using the same WIF configuration following the REST API authentication steps in the WIF doc. When I started the cloud-sql-proxy with the generated access token, I was able to connect to the cloud-sql instance, this confirmed that the WIF configuration is correct.
So now I'm trying to understand if the cloud-sql-proxy supports WIF, and if this works with the configuration file path is passed to the
GOOGLE_APPLICATION_CREDENTIALS
environment variable?Thanks
Code
No response
Additional Details
No response