Skip to content

Commit 02a23ee

Browse files
kgala2kgala2
committed
chore: update README.md to add service account impersonation example
1 parent 35353da commit 02a23ee

1 file changed

Lines changed: 25 additions & 1 deletion

File tree

README.md

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ The Cloud SQL Auth Proxy has support for:
2222
- [Automatic IAM Authentication][iam-auth] (Postgres and MySQL only)
2323
- Metrics ([Cloud Monitoring][], [Cloud Trace][], and [Prometheus][])
2424
- [HTTP Healthchecks][health-check-example]
25-
- Service account impersonation
25+
- [Service account impersonation](#configuring-service-account-impersonation)
2626
- Separate Dialer functionality released as the [Cloud SQL Go Connector][go connector]
2727
- Configuration with [environment variables](#config-environment-variables)
2828
- Fully POSIX-compliant flags
@@ -343,6 +343,30 @@ query param:
343343
> ./cloud-sql-proxy --unix-socket C:\cloudsql myproject:my-region:mysql
344344
> ```
345345

346+
### Configuring Service Account Impersonation
347+
348+
The Proxy supports [service account impersonation](https://cloud.google.com/iam/docs/impersonating-service-accounts).
349+
This allows the Proxy to act as a different service account, which can be useful
350+
for granting access to resources that are not accessible to the default service
351+
account.
352+
353+
To use service account impersonation, you must have the
354+
`iam.serviceAccounts.getAccessToken` permission on the service account you want
355+
to impersonate. You can grant this permission by assigning the
356+
`roles/iam.serviceAccountTokenCreator` role to the principal running the Proxy.
357+
358+
Note: The service account must have Cloud SQL Instance User, Service Usage Consumer and Cloud SQL Client permissions.
359+
360+
To impersonate a service account, use the `--impersonate-service-account` flag:
361+
362+
```shell
363+
# Starts a listener on localhost:5432 and impersonates the service account
364+
# "my-other-sa@my-project.iam.gserviceaccount.com".
365+
# The Proxy will use the credentials of the principal running the Proxy to
366+
# generate a short-lived access token for the impersonated service account.
367+
./cloud-sql-proxy --impersonate-service-account my-other-sa@my-project.iam.gserviceaccount.com <INSTANCE_CONNECTION_NAME>
368+
```
369+
346370
### Configuring IAM Database Authentication
347371

348372
The Proxy supports [Automatic IAM Database Authentication][iam-auth] for MySQL

0 commit comments

Comments
 (0)