Remediation
From Google Cloud CLI
-
For PostgreSQL instances, enable IAM database authentication:
gcloud sql instances patch {{instance-name}} \
--database-flags=cloudsql.iam_authentication=on -
For MySQL instances, enable IAM database authentication:
gcloud sql instances patch {{instance-name}} \
--database-flags=cloudsql_iam_authentication=onNote: Setting database flags with
gcloud sql instances patchcan overwrite existing flags. Include all existing database flags that must remain configured. -
Create IAM-authenticated database users as needed:
gcloud sql users create {{principal}} \
--instance={{instance-name}} \
--type=CLOUD_IAM_USER -
Grant required database privileges and Google Cloud IAM roles, including
roles/cloudsql.clientandroles/cloudsql.instanceUser, to the connecting principals. -
Test application and user connections before removing password-based access.