Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cutting down permissions to a minimum #362

Closed
consideRatio opened this issue Mar 16, 2020 · 9 comments · Fixed by #621
Closed

Cutting down permissions to a minimum #362

consideRatio opened this issue Mar 16, 2020 · 9 comments · Fixed by #621
Assignees
@enocom
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: docs Improvement to the documentation for an API.

Comments

@consideRatio
Copy link

consideRatio commented Mar 16, 2020
edited
Loading

I've been using the cloudsql-proxy for a while, and wonder if perhaps I've given it too much permissions? Google Cloud Console recommended that I cut down on my permissions to from all of the permissions of a "Cloud SQL Admin" to cloudsql.instances.connect and cloudsql.instances.get as given to the "Cloud SQL Client" role. Could this be enough? I only know that during the last 89 days, it has been enough, and my proxy has restarted in this time frame as well.

image

The permissions below are "Cloud SQL Admin" permissions that we would loose by downgrading to the "Cloud SQL Client" role, which was recommended by GCP platform based on me not using it anyhow:

cloudsql.backupRuns.create
cloudsql.backupRuns.delete
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.clone
cloudsql.instances.create
cloudsql.instances.delete
cloudsql.instances.demoteMaster
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.promoteReplica
cloudsql.instances.resetSslConfig
cloudsql.instances.restart
cloudsql.instances.restoreBackup
cloudsql.instances.rotateServerCa
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.create
cloudsql.sslCerts.createEphemeral
cloudsql.sslCerts.delete
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.list
cloudsql.users.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Reference

About the predefined roles "Cloud SQL Admin" and "Cloud SQL Client": https://cloud.google.com/sql/docs/mysql/project-access-control
@consideRatio consideRatio changed the title Limited permissions Cutting down permissions to a minimum Mar 16, 2020
@consideRatio consideRatio mentioned this issue Mar 16, 2020
Closed
@kurtisvg
Copy link
Contributor

The Cloud SQL Client is a role specifically designed for use the with Cloud SQL proxy. Do you have a specific page where we are recommending the Cloud SQL Admin role over Cloud SQL Client? In generally we try to follow the principle of least privilege, and recommend only what the user needs.

@kurtisvg kurtisvg added the type: question Request for information or clarification. label Mar 23, 2020
@consideRatio
Copy link
Author

The Cloud SQL Client is a role specifically designed for use the with Cloud SQL proxy.

@kurtisvg thanks for your response and clarification!

I'm not sure how it is recommended to be configured, but there is this section in the README.md of this repo that I don't fully understand:

When the proxy authenticates under the default service account of the Compute Engine VM it is running on the VM must have at least the sqlservice.admin API scope ("https://www.googleapis.com/auth/sqlservice.admin") and the associated project must have the SQL Admin API enabled. The default service account must also have at least WRITER/EDITOR priviledges to any projects of target SQL instances.

Hmmm... I figure we need to consider multiple service accounts, and these are the two I think of at the moment. Do I get this right, and does this cover the discussion?

  1. The proxy's credentials. These I think should be only given the right to connect by having a Cloud SQL Client role.
  2. The user of the proxy's credentials against the database. I'm thinking for example postgresql instance user and password.

@kurtisvg
Copy link
Contributor

I think so, but let me clarify a bit (because I think we've overloaded the term "service account"). There are two different layers of auth you have to deal with:

  1. Authorization to connect to the Cloud SQL instance (this is on the Cloud SQL side)
  2. Authorization to access a database on the instance (this is on the database engine side)

No1 requires you (or a service account acting on your behalf) to have the correct IAM permissions (which is the Cloud SQL Client role or higher) in for the project you are trying to connect to.

No2 requires a valid database user (and usually password) and is handled between the database and application itself.

@consideRatio
Copy link
Author

consideRatio commented Mar 23, 2020
edited
Loading

@kurtisvg thanks again for the clarification! Are these statements from this projects README.md file perhaps outdated then?

When the proxy authenticates under the default service account of the Compute Engine VM it is running on the VM must have at least the sqlservice.admin API scope ("https://www.googleapis.com/auth/sqlservice.admin") and the associated project must have the SQL Admin API enabled.

I'm thinking that the associated project may need to have the SQL administrative API enabled, but the requester should not need any admin permissions when interacting with it, only the Cloud SQL Client role's associated permissions.

@kurtisvg
Copy link
Contributor

I think you are confusing the Cloud SQL Admin IAM role with the Cloud SQL Admin API.

The Cloud SQL Admin API is the name of the API that allows you to administer Cloud SQL resources in project. It does things like created, modify, delete Cloud SQL instances. This API needs to be enabled in your project.

The Cloud SQL Client and Cloud SQL Admin IAM roles give users certain permissions on the Cloud SQL Admin API. For example, the Cloud SQL Client gives the sqladmin.create and sqladmin.get permissions, which means a user with this IAM role can only use those two calls. The Cloud SQL Admin is more of an administrative role, which gives users more authority to delete and create new instances.

In order to use the Cloud SQL proxy, you need to have both enabled the Cloud SQL Admin API and have the correct IAM permissions (Cloud SQL Client or greater).

@consideRatio
Copy link
Author

The default service account must also have at least WRITER/EDITOR priviledges to any projects of target SQL instances.

Pieces are falling into place! But, this sentence remains confusing. What is meant to be stated by this sentence? It sounds to me that it claims the GCP Service Account used by the proxy needs more priviledges than a Cloud SQL Client role can provide.

@kurtisvg
Copy link
Contributor

I agree that sentence doesn't make sense - it's possible that it was added in before the Client role was added, and probably should be updated.

@kurtisvg kurtisvg added type: docs Improvement to the documentation for an API. and removed type: question Request for information or clarification. labels Mar 23, 2020
@consideRatio
Copy link
Author

My understanding summarized

  1. The cloudsql-proxy relies on an API called the Cloud SQL API (aka. sqladmin.googleapis.com in gcloud). Therefore, it needs to be enabled on the GCP project with a Cloud SQL instance running that the cloudsql-proxy is meant to proxy traffic to.
  2. The cloudsql-proxy needs to use credentials that are coupled with the role Cloud SQL Client in the project where the Cloud SQL Instance is running. It will rely on this roles permissions called cloudsql.instances.connect and cloudsql.instances.get.

The current sentence in the README.md is:

When the proxy authenticates under the default service account of the Compute Engine VM it is running on the VM must have at least the sqlservice.admin API scope ("https://www.googleapis.com/auth/sqlservice.admin") and the associated project must have the SQL Admin API enabled. The default service account must also have at least WRITER/EDITOR priviledges to any projects of target SQL instances.

  • The sqlservice.admin API scope relates to content here: https://cloud.google.com/sql/docs/mysql/admin-api, and I think it is irrelevant and wrong to discuss in the README.
  • The "Cloud SQL API" needs to be enabled, not the "SQL Admin API".
  • There is no need to have WRITER/EDITOR privileges for anything, only the "Cloud SQL Client" role and its associated permissions cloudsql.instances.connect and .get.

@kurtisvg
Copy link
Contributor

This refers to an the access scope required when using Compute service account.

  • The "Cloud SQL API" needs to be enabled, not the "SQL Admin API".

These are both referring to the same thing, but it's "official" name is "Cloud SQL Admin API". I filed an internal bug for the resource you linked above to correct the title.

  • There is no need to have WRITER/EDITOR privileges for anything, only the "Cloud SQL Client" role and its associated permissions cloudsql.instances.connect and .get.

These are the minimum required, but if you happen to have one of the other roles

As an aside, we have a new "how-to" page in the works from the docs side that will largely replace the instructions in the README.

@tuananhnguyen-ct tuananhnguyen-ct mentioned this issue May 19, 2020
Merged
1 task
@enocom enocom added the priority: p2 Moderately-important priority. Fix may not be included in next release. label Feb 9, 2021
@enocom enocom self-assigned this Feb 9, 2021
enocom added a commit that referenced this issue Feb 18, 2021
@enocom
chore: clean up README with docs folder
1187e2d 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
@enocom enocom mentioned this issue Feb 18, 2021
Merged
enocom added a commit that referenced this issue Feb 23, 2021
@enocom
chore: clean up README with docs folder
17f75f3 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
enocom added a commit that referenced this issue Feb 23, 2021
@enocom
chore: clean up README with docs folder
64b1f1f 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
enocom added a commit that referenced this issue Feb 23, 2021
@enocom
chore: clean up README with docs folder
54340e3 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 23, 2021
@enocom
chore: clean up README with docs folder
fcdcd39 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 24, 2021
@enocom
chore: clean up README with docs folder
66ff900 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 24, 2021
@enocom
chore: clean up README with docs folder
563d6e1 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 25, 2021
@enocom
chore: clean up README with docs folder
1a2fb9a 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 25, 2021
@enocom
chore: clean up README with docs folder
80a511f 
This commit cleans up the project README and cleans up the message
printed by the `-help` flag.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 25, 2021
@enocom
chore: clean up README with docs folder
38e8b66 
This commit cleans up the project README and cleans up the message
printed by the `-help` flag.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 26, 2021
@enocom
chore: clean up README with docs folder
4fc1aa4 
This commit cleans up the project README and cleans up the message
printed by the `-help` flag.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
enocom added a commit that referenced this issue Feb 26, 2021
@enocom
chore: clean up README with docs folder
532675a 
This commit cleans up the project README and cleans up the message
printed by the `-help` flag.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
gcf-merge-on-green bot pushed a commit that referenced this issue Feb 26, 2021
@enocom
chore: update README (#621)
bbaf1ac 
This commit cleans up the project README and consolidates all additional
documentation into the docs folder.

Fixes #362.
Fixes #599.
Fixes #498.
Fixes #401.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enocom enocom

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: docs Improvement to the documentation for an API.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update README GoogleCloudPlatform/cloud-sql-proxy
4 participants
@enocom @jsimonweb @consideRatio @kurtisvg