Question: alloydb-auth-proxy as a service + GKE workload identity

Question

Question: alloydb-auth-proxy as a service + GKE workload identity

Closed this issue 6 months ago · 4 comments

Question

Hi! Sorry that might be a dumb question but I cannot get the alloydb-auth-proxy to work with GKE workload identity when running as a k8s service.

I have the following deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: alloydb-auth-proxy
  name: alloydb-auth-proxy
spec:
  selector:
    matchLabels:
      app: alloydb-auth-proxy
  template:
    metadata:
      labels:
        app: alloydb-auth-proxy
    spec:
      serviceAccountName: alloydb-access
      containers: 
      - name: alloydb-auth-proxy
        image: us.gcr.io/alloydb-connectors/alloydb-auth-proxy:1.7.1
        ports:
        - containerPort: 5000
          protocol: TCP
        - containerPort: 5001
          protocol: TCP
        command: ["/alloydb-auth-proxy"]
        args:
        - "--auto-iam-authn"
        - "projects/{{ project }}/locations/us-west1/clusters/{{ cluster.name }}/instances/primary?port=5000"
        - "projects/{{ project }}/locations/us-west1/clusters/{{ cluster.name }}/instances/readpool?port=5001"
        - "--address=0.0.0.0"

The following k8s service:

---
apiVersion: v1
kind: Service
metadata:
  name: alloydb-auth-proxy
  namespace: alloydb-auth-proxy
spec:
  ports:
  - name: alloydb-auth-proxy-primary
    port: 5000
    protocol: TCP
    targetPort: 5000
  - name: alloydb-auth-proxy-readpool
    port: 5001
    protocol: TCP
    targetPort: 5001
  selector:
    app: alloydb-auth-proxy
  type: ClusterIP

The following k8s Service Account:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: alloydb-access@{{ project }}.iam.gserviceaccount.com
  name: alloydb-access
  namespace: alloydb-auth-proxy

The alloydb-access GCP Service Account has what I believe are the right IAM permissions:

Cloud AlloyDB Client
Service Usage Consumer

I have a user set in my DB with the alloydbiamuser IAM role and named alloydb-access@{{ project }}.iam as the documentation states:

For an IAM service account, supply the service account's address without the .gserviceaccount.com suffix. For example, to specify the service account my-service@my-project.iam.gserviceaccount.com, you would use the value my-service@my-project.iam here.

When I try to authenticate with alloydb through the alloydb-auth-proxy service using the postgres default user, everything works like a charm, when I try to use IAM authentication I get the following error:

# psql -h alloydb-auth-proxy -p 5000 -U alloydb-access@{{ project }} .iam
psql: error: connection to server at "alloydb-auth-proxy" (10.76.12.23), port 5000 failed: FATAL:  AlloyDB IAM user authentication failed for user "alloydb-access@{{ project }}.iam"

the alloydb.iam_authentication flag is set on my alloydb instances and I have rechecked all the bindings multiple times.

Any help will be greatly appreciated as I'm kind of lost right now.

Code

No response

Additional Details

I have enabled debug logs, but the alloydb-auth-proxy logs do not provide much information:

2024/03/07 03:41:58 [{{ project }}.us-west1.{{ cluster.name}}.primary] accepted connection from 10.72.6.63:38128
2024/03/07 03:42:22 {{ project }}.us-west1.{{ cluster.name}}.primary] client closed the connection

I have verified the workload following this -> https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#verify_the_setup

Answer 1 · 2024-03-07T14:15:26.000Z

Hi @abezard-conduit Thanks for the detailed information and great question! 😄

Because you mentioned everything works fine for the postgres user but not the IAM database user it makes me think there might be an IAM permissions missing.

The alloydb-access GCP Service Account has what I believe are the right IAM permissions:

Cloud AlloyDB Client

Service Usage Consumer

It looks like your service account may be missing the Cloud AlloyDB Database User IAM role? I would try granting it and seeing if that fixes your issue 😄

Happy to update any docs if this role fixes the issue and is missing from any pages.

Answer 2 · 2024-03-07T17:19:46.000Z

hey @jackwotherspoon !
Thanks for getting back to me.

I guess what confuses me is:

in this documentation it's said that the auth-proxy needs to roles/alloydb.client permissions.
in this documentation it's said that the DB client needs roles/alloydb.databaseUser permissions.

From what I understand alloydb-auth-proxy is the component that takes care of authenticating and connecting to the Database, does it mean alloydb-auth-proxy needs both roles/alloydb.client / roles/alloydb.databaseUser permissions?

Or does it mean alloydb-auth-proxy needs roles/alloydb.client and the client talking to alloydb-auth-proxy needs roles/alloydb.databaseUser?

Thanks in advance!

Answer 3 · 2024-03-07T18:58:46.000Z

Hi @abezard-conduit let me try and clarify the above for you.

roles/alloydb.client : This role is required for all connections, when using built-in database authn (regular user and password) or IAM database authn. This role allows access to call the AlloyDB APIs to get the IP address of the instance and generate an ephemeral certificate to be used for the SSL connection.
roles/alloydb.databaseUser : Additional role ONLY required for IAM database authn. This role is required only for IAM database authn to allow the IAM user or service account to login to the database.

Hope this clarifies things, I'll look at the docs to see if we can improve the messaging and make things more clear in our documentation.

Answer 4 · 2024-03-07T19:00:33.000Z

Hi @jackwotherspoon!

ok that makes so much more sense, thanks for your help.