Support GCP AlloyDB

[adamstrawson]

What would you like Teleport to do?

We've recently adopted AlloyDB, GCP's new managed database service. However it behaves slightly differently to CloudSQL so the existing GCP CloudSQL connection within Teleport isn't compatible.

The only caveat is that AlloyDB does not currently support IAM User Authentication.

What problem does this solve?

Allows access to GCP AlloyDB via Teleport

[smallinsky]

Thanks for requesting this feature.

Right now as yo mentioned AlloyDB doesn't support db user passwordless IAM authentication like in case of cloud-proxy mysql/postgres integration

The alloydb-cloud-proxy has only support for IAM auth to the AlloyDB instance where a user still needs provide a database user password https://cloud.google.com/alloydb/docs/auth-proxy/connect#connect-application

Lack of support for passwordless auth mechanism is main blocker for Teleport Database Access - GCP AlloyDB integration.

[adamstrawson]

Thanks @smallinsky.

I'm told IAM / passwordless auth is expected to come to AlloyDB in H2, so hopefully later in the year we'll be able to see support within Teleport 🤞

[smallinsky]

Linking dependency to AlloyDB IAM user auth issue: https://github.com/GoogleCloudPlatform/alloydb-auth-proxy/issues/345

[merlindorin]

Lack of support for passwordless auth mechanism is main blocker for Teleport Database Access - GCP AlloyDB integration.

@Tener , @smallinsky , it seems there is some relevant update regarding this issue :

• Natively: https://github.com/GoogleCloudPlatform/alloydb-auth-proxy/issues/345#issuecomment-1802350177
• Through the proxy: https://github.com/GoogleCloudPlatform/alloydb-auth-proxy/issues/345#issuecomment-1813118879

We have a lot of AlloyDB and Teleport features (like request access) are in our critical path for production.

Do you think we can expect some guidelines regarding the last updates? Maybe a native integration? My teams will be happy to test and be the early adopter of the AlloyDB integration.

edit: and of course happy to assist

[adamstrawson]

+1 to Merlin's comment above - we've quite keen to see AlloyDB support in Teleport, and happy to assist in any testing that might be required.

[adamstrawson]

@smallinsky @Tener Are you open to accepting Pull Requests for this issue?

Our current workaround is soon to be not an option for us, and so AlloyDB support within Teleport will be a welcome addition.

Happy to put in the time to add in support if it's not already in progress, and if it's something that might be accepted.

[Tener]

@adamstrawson we welcome any submissions, this feature included 😄 It isn't in progress yet, even though we have it on a tentative roadmap.

@greedy52 may have some additional information on this.

[maximumG]

We looked at the teleport code base to include AlloyDB support properly but we are not sure how to handle this properly as the code base regarding GCP DB support assumed back in the day that only CloudSQL was supported (and it was indeed the case).

As a short term solution, we ended-up hacking a little bit the existing CloudSQL implementation to support AlloyDB in the teleport DB agent code base (v14). https://github.com/backmarket-oss/teleport/commit/44924731ff99c001d54d93ee9687300926c46312

[greedy52]

We looked at the teleport code base to include AlloyDB support properly but we are not sure how to handle this properly as the code base regarding GCP DB support assumed back in the day that only CloudSQL was supported (and it was indeed the case).

As a short term solution, we ended-up hacking a little bit the existing CloudSQL implementation to support AlloyDB in the teleport DB agent code base (v14). backmarket-oss@4492473

Thanks, Maxime! I noticed the same when I was implementing GCP Cloud SQL as PostgreSQL backend recently, that the main difference between Cloud SQL and AlloyDB would be just the scope. And that's for the "manual" IAM auth connections.

For the proper implementation, we should only pick one scope based on the database type. But more importantly, we need to look into supporting Enforce mTLS via AlloyDB connectors which wraps the Postgres connection in a mTLS layer.

Will keep you posted once we decide to work on this.