With IAM Authentication enabled, Connector does duplicate refresh

Question

With IAM Authentication enabled, Connector does duplicate refresh

Closed this issue 4 months ago · 2 comments

Using the Cloud SQL Proxy with debug logging enabled, you can see that the Go Connector makes two refresh operations for one connection attempt:

$ ./cloud-sql-proxy enocom-experiments-304623:us-central1:pg2 --debug-logs --auto-iam-authn
2024/04/15 10:26:49 Authorizing with Application Default Credentials
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info added to cache
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation started
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation complete
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Current certificate expiration = 2024-04-15T17:26:49Z
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation scheduled at 2024-04-15T17:22:49Z (now + 56m0s)
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Listening on 127.0.0.1:5432
2024/04/15 10:26:49 The proxy has started successfully and is ready for new connections!


2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Accepted connection from 127.0.0.1:47630
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation started
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation complete
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Current certificate expiration = 2024-04-15T17:26:57Z
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation scheduled at 2024-04-15T17:22:57Z (now + 56m0s)
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Now = 2024-04-15T16:26:58Z, Current cert expiration = 2024-04-15T17:26:57Z
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Cert is valid = true
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Dialing 35.238.106.212:3307

This is happening because the Proxy calls EngineVersion to warm the cache, but EngineVersion doesn't support a way to specify if IAM Authn is used or not, and so assumes it's not in use (the nil argument).

When the call to connection info occurs, it enables IAM auth, and causes the existing refresh to be canceled.

Answer 1 · 2024-04-15T16:33:07.000Z

This will be fixed with #731 most likely.

Answer 2 · 2024-05-20T17:19:52.000Z

This bug has a few different manifestations.