Skip to content
/ vault-plugin-database-cloudsql Public

Hashicorp Vault plugin to connect to CloudSQL instances with github.com/GoogleCloudPlatform/cloud-sql-go-connector

License

BSD-2-Clause license
31 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

expel-io/vault-plugin-database-cloudsql

BranchesTags

Repository files navigation

vault-plugin-database-cloudsql

This is a Hashicorp Vault database plugin to connect to CloudSQL instances with GoogleCloudPlatform/cloud-sql-go-connector.

Compatibility

  • This plugin currently only supports connecting to postgres CloudSQL instances. PRs welcome!
  • This plugin has been tested with Hashicorp Vault version 1.8.x. Stay tuned as we add support for newer Hashicorp Vault versions.

From Google Cloud's documentation:

Using the Cloud SQL Auth proxy is the recommended method for connecting to a Cloud SQL instance. See: Connect using the Cloud SQL Auth proxy

By using the cloud-sql-go-connector Hashicorp Vault is able to connect to multiple CloudSQL instances without the need for the Cloud SQL Auth Proxy.

This plugin does two things:

  1. Initializes the database driver with the cloud-sql-go-connector allowing it to connect securely with Google IAM credentials.
  2. It then defers to Hashicorp Vault's original database plugins for all database specific interactions.

NOTE: Currently support is limited to Postgres instances.

Arguments

The following plugin arguments are supported:

  • -db-type, defaults to cloudsql-postgres. This is currently the only supported database type.
  • -log-level, defaults to info
  • multiplex, defaults to true

Getting Started

1. Building the plugin

Build the plugin binary for your target architecture:

make build

2. Install the plugin binary

After the plugin is built, it must be made available to the Vault server runtime. Move the compiled plugin into Vault's configured plugin_directory:

# in the following example the `plugin_directory` is `/etc/vault/plugins`
mv vault-plugin-database-cloudsql /etc/vault/plugins/vault-plugin-database-cloudsql

3. Calculate the SHA of the plugin

# save the output of this to register your plugin on the next step
sha256sum /app/bin/plugins/vault-plugin-database-cloudsql

4. Register the plugin with terraform

After building this plugin and making it available to your Vault runtime, you can register the plugin to the plugin catalog like this:

resource "vault_generic_endpoint" "configure_custom_cloudsql_plugin" {
  path                 = "sys/plugins/catalog/database/vault-plugin-database-cloudsql"
  disable_read         = false
  disable_delete       = false
  ignore_absent_fields = true

  data_json = jsonencode({
    type    = "database"
    sha_256 = <INSERT-YOUR-BINARY-SHA>
    command = "vault-plugin-database-cloudsql"
    args = [
        "-db-type=cloudsql-postgres",
        "-log-level=info"
    ]
  })
}

For an in depth guide see our quickstart folder

Development

In order to run unit tests, run the following command:

make test

About

Hashicorp Vault plugin to connect to CloudSQL instances with github.com/GoogleCloudPlatform/cloud-sql-go-connector

Topics

prod-library

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

31 stars

Watchers

6 watching

Forks

1 fork
Report repository

Releases 2

0.2.0 Latest
Dec 18, 2023
+ 1 release

Packages

No packages published

Contributors 5

Languages