Google Cloud SQL proxy service.
This repo creates a wrapper (entrypoint) script to be used in the Google Cloud SQL proxy container. The entrypoint.sh
script autoruns when you run the docker container created using the Dockerfile in this repo. All the settings for the Cloud SQL proxy are provided using environment variables - enabling a much simplier configuration.
The image is also available in Docker Hub!
The script assumes one of three forms of service account authentication:
-
A service account json file that is mounted into the docker container either under the default path (
/etc/sqlproxy-service-account.json
) or under the path specified by the environment variableCLOUDSQL_CREDENTIAL_FILE
. -
A service account json string provided in the
CLOUDSQL_CREDENTIALS
environment variable. The credentials are saved to the same path as the paramenter above (either the default/etc/sqlproxy-service-account.json
or the path specified byCLOUDSQL_CREDENTIAL_FILE
). Thus, any credentials provided by in the file specified byCLOUDSQL_CREDENTIAL_FILE
will be overwritten by the credentials provided in theCLOUDSQL_CREDENTIALS
variable. -
Using the "application" default service account. This is either the service account used to create the GCE compute instance the docker is running on or what ever the current user is authorized as if they were running it on a non-GCE host.
Remember: the service account used to create the proxy must have a role that includes the
cloudsql.instances.connect
permission. The predefined Cloud SQL roles that include this permission are:Cloud SQL Client
,Cloud SQL Editor
andCloud SQL Admin
.
There are also two methods of setting the connection string used by the proxy.
Specify an explicit comma-separated list of one or more database connection strings in the environment variable CLOUDSQL_CONNECTION_LIST
. The list must contain at least one connection string in the following format:
CLOUDSQL_INSTANCE_CONNECTION_NAME=0.0.0.0:PORT
which is equivalent to:
GOOGLE_PROJECT:CLOUDSQL_ZONE:CLOUDSQL_INSTANCE=0.0.0.0:PORT
where INSTANCE_CONNECTION_NAME
is the instances connection name, which can be retrieved from the Cloud SQL Console, GOOGLE_PROJECT
is Google Cloud project where the Cloud SQL instance resides, CLOUDSQL_ZONE
is the instance's zone, CLOUDSQL_INSTANCE
is the instance's ID name, and PORT
is the TCP port number that the Cloud SQL proxy will open for connections to the instance.
Note: the port set by the
PORT
environment variable is inside the docker container. To expose the service on a port on the host machine, thepublish
option must be used with thedocker run
command. For exampledocker run --env PORT=$PORT -p 127.0.0.1:$HOST_PORT:$PORT ...
, where$PORT
contains the container port number and$HOST_PORT
contains the host port.
By specifying all of the environment variables bellow. This method supports only a single Cloud SQL instance.
GOOGLE_PROJECT
: the Google project where the instance resides.CLOUDSQL_ZONE
: the instance's zone.CLOUDSQL_INSTANCE
: the instance's ID name.PORT
: the TCP port number that the Cloud SQL proxy will open for connections to the instance.
CLOUDSQL_MAXCONNS
: the maximum number of database connections the proxy will support. The default is unlimited.CLOUDSQL_LOGGING
: logging level. The default is verbose.
To build the image:
docker build . -t cloud-sql-proxy
To start the proxy:
docker run --env-file=.env -p 127.0.0.1:5432:5432 cloud-sql-proxy
where .env
contains the configuration variables specified in the sections above. For example:
CLOUDSQL_CREDENTIALS={"type":"service_account", ...}
GOOGLE_PROJECT=my_project
CLOUDSQL_ZONE=us-east1
CLOUDSQL_INSTANCE=my_instance_name
PORT=5432
It might be more confortable to run the proxy as a detached container (-d
flag):
docker run --env-file=.env -p 127.0.0.1:5432:5432 -d cloud-sql-proxy