Add service account impersonation with Google Cloud SQL Proxy in Google Cloud SQL Operators #39546
Open
1 of 2 tasks
Labels
area:providers
good first issue
kind:feature
Feature Requests
provider:google
Google (including GCP) related issues
Description
I would like to be able to access Google Cloud SQL databases via the Google Cloud SQL Proxy and service account impersonation. This feature was introduced for some Google Cloud operators here. Currently, this is not possible since the function that manages the credentials that are passed to the Cloud SQL Proxy only handles service account key files (relevant function) and falls back to the default Google Cloud connection when not available.
The Cloud SQL Proxy recently introduced an additional flag
--impersonate-service-account
that adds support for service account impersonation.This would require updating the cloud-sql-proxy to version 2, which would also require changes to some of the command line arguments and handling of stdout/stderr.
Use case/motivation
We are operating a shared Google Cloud Composer environment in a single Google Cloud project, but each team is using a dedicated project for non-Airflow-related things. From the Composer service account, we delegate to project-specific service accounts via service account impersonation. This works fine for most Google Cloud Operators, but not for Cloud SQL Operators when using the Cloud SQL Proxy.
Related issues
Another issue that might be related is the option to add IAM authentication to the operator as well: #20775
Are you willing to submit a PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: