Google Cloud SQL proxy service.
This repo creates a wrapper (entrypoint) script to be used in the Google Cloud SQL proxy container. The entrypoint.sh script autoruns when you run the docker container created using the Dockerfile in this repo. All the settings for the Cloud SQL proxy are provided using environment variables - enabling a much simplier configuration.
The image is also available in Docker Hub!
The script assumes one of three forms of service account authentication:
-
A service account json file that is mounted into the docker container either under the default path (
/etc/sqlproxy-service-account.json) or under the path specified by the environment variableCLOUDSQL_CREDENTIAL_FILE. -
A service account json string provided in the
CLOUDSQL_CREDENTIALSenvironment variable. The credentials are saved to the same path as the paramenter above (either the default/etc/sqlproxy-service-account.jsonor the path specified byCLOUDSQL_CREDENTIAL_FILE). Thus, any credentials provided by in the file specified byCLOUDSQL_CREDENTIAL_FILEwill be overwritten by the credentials provided in theCLOUDSQL_CREDENTIALSvariable. -
Using the "application" default service account. This is either the service account used to create the GCE compute instance the docker is running on or what ever the current user is authorized as if they were running it on a non-GCE host.
Remember: the service account used to create the proxy must have a role that includes the
cloudsql.instances.connectpermission. The predefined Cloud SQL roles that include this permission are:Cloud SQL Client,Cloud SQL EditorandCloud SQL Admin.
There are also two methods of setting the connection string used by the proxy.
Specify an explicit comma-separated list of one or more database connection strings in the environment variable CLOUDSQL_CONNECTION_LIST. The list must contain at least one connection string in the following format:
CLOUDSQL_INSTANCE_CONNECTION_NAME=0.0.0.0:PORT
which is equivalent to:
GOOGLE_PROJECT:CLOUDSQL_ZONE:CLOUDSQL_INSTANCE=0.0.0.0:PORT
where INSTANCE_CONNECTION_NAME is the instances connection name, which can be retrieved from the Cloud SQL Console, GOOGLE_PROJECT is Google Cloud project where the Cloud SQL instance resides, CLOUDSQL_ZONE is the instance's zone, CLOUDSQL_INSTANCE is the instance's ID name, and PORT is the TCP port number that the Cloud SQL proxy will open for connections to the instance.
Note: the port set by the
PORTenvironment variable is inside the docker container. To expose the service on a port on the host machine, thepublishoption must be used with thedocker runcommand. For exampledocker run --env PORT=$PORT -p 127.0.0.1:$HOST_PORT:$PORT ..., where$PORTcontains the container port number and$HOST_PORTcontains the host port.
By specifying all of the environment variables bellow. This method supports only a single Cloud SQL instance.
GOOGLE_PROJECT: the Google project where the instance resides.CLOUDSQL_ZONE: the instance's zone.CLOUDSQL_INSTANCE: the instance's ID name.PORT: the TCP port number that the Cloud SQL proxy will open for connections to the instance.
CLOUDSQL_MAXCONNS: the maximum number of database connections the proxy will support. The default is unlimited.CLOUDSQL_LOGGING: logging level. The default is verbose.
To build the image:
docker build . -t cloud-sql-proxyTo start the proxy:
docker run --env-file=.env -p 127.0.0.1:5432:5432 cloud-sql-proxywhere .env contains the configuration variables specified in the sections above. For example:
CLOUDSQL_CREDENTIALS={"type":"service_account", ...}
GOOGLE_PROJECT=my_project
CLOUDSQL_ZONE=us-east1
CLOUDSQL_INSTANCE=my_instance_name
PORT=5432It might be more confortable to run the proxy as a detached container (-d flag):
docker run --env-file=.env -p 127.0.0.1:5432:5432 -d cloud-sql-proxy