search

ryboe / private-ip-cloud-sql-db

An example set of terraform files for deploying a Cloud SQL DB with a private IP address only
MIT License
34 stars 11 forks source link

sudo needed to execute docker #9

Open theclue opened 1 year ago

theclue commented 1 year ago

I've noticed that container os needs sudo for using docker. Thus, the login command could be eventually modified into this maybe?

ssh -t $(gcloud compute os-login describe-profile | grep username | sed 's/username: //' | tr -d '\n')@$PROXY_IP sudo docker run --rm --network=host -it logiqx/mysql-client mysql -u root -p -h 127.0.0.1

additionally, maybe i'm wrong but...since both the proxy bastion host and the cloud sql instances lies in the same VPC, why you need to use cloud sql proxy to reach it?

Is it not supposed to be directly reachable using the private ip only?

and finally, I was wondering if having the (hi priviledged) credentials json stored in clear in the description of the VM could be a security issue....

said that, your setup is absolutely GREAT and I'm working to deploy it on my tenant atm ;)

theclue commented 1 year ago

Ok, I'm investigating the third issue, trying to reinforce it a bit:

resource "google_secret_manager_secret_iam_binding" "secret_iam_binding" {
  project   = var.project_id

  secret_id = google_secret_manager_secret.db_proxy_credentials_secret.name
  role      = "roles/secretmanager.secretAccessor"
  members   = [
    "serviceAccount:${google_service_account.db_proxy_account.email}"
  ]
}

Finally, in the bootstrap template i added those to retrieve the secret (i need to use curl since there's no gcloud in container os)

[...]

# Fetch the access token for authentication
TOKEN=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token)

# Fetch the secret from Secret Manager
SECRET_VERSION=$(curl -s "https://secretmanager.googleapis.com/v1/projects/your-project-id/secrets/my-secret/versions/latest" -H "Authorization: Bearer $TOKEN" | jq -r .payload.data | base64 -d)

# Export the secret value as an environment variable
echo "$SECRET_VERSION" > /var/svc_account_key.json

[...]

At this stage i have a Permission 'secretmanager.versions.get' denied for resource, but I'm digging into it...

ryboe commented 1 year ago

A lot has changed since 2020 and I've recently learned more about Cloud SQL auth. I have a better approach now than the one in this repo. I plan to write a new blog post and heavily revise the code in this repo. I'm glad this code is useful to you, though, and that you're able to iterate on it!

JustinAimiable commented 3 months ago

Hey, I came here because I had the same issue with docker permissions. I ended up ssh'ing onto the proxy and running:

sudo usermod -aG docker $USER

This repo/ blog post has been really helpful, although I am curious about your new approach. I know it can be hard to find the time for such an update, but by any chance, could you share some high level information about how you changed your approach?

|I'm trying to set up terraform with a cloudsql instance with VPC-only access and connect my cloud run service to the DB. at the same time, I want to be able to access the DB securely with IAM permissions, so I do like this approach a lot, but if you've found something better, then I'm really interested :)