{"id":15221949,"url":"https://github.com/googlecloudplatform/cloud-sql-iam-db-authn-groups","last_synced_at":"2025-10-20T01:30:18.230Z","repository":{"id":38058566,"uuid":"400581286","full_name":"GoogleCloudPlatform/cloud-sql-iam-db-authn-groups","owner":"GoogleCloudPlatform","description":"Example of how to enable Cloud SQL IAM Database Authentication for Groups","archived":false,"fork":false,"pushed_at":"2024-11-18T22:48:28.000Z","size":516,"stargazers_count":33,"open_issues_count":25,"forks_count":9,"subscribers_count":17,"default_branch":"main","last_synced_at":"2024-12-18T08:40:01.918Z","etag":null,"topics":["cloud-sql","iam-authentication"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-27T17:04:00.000Z","updated_at":"2023-12-22T11:56:12.000Z","dependencies_parsed_at":"2024-04-18T17:00:07.752Z","dependency_job_id":null,"html_url":"https://github.com/GoogleCloudPlatform/cloud-sql-iam-db-authn-groups","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fcloud-sql-iam-db-authn-groups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fcloud-sql-iam-db-authn-groups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fcloud-sql-iam-db-authn-groups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fcloud-sql-iam-db-authn-groups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/cloud-sql-iam-db-authn-groups/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237243005,"owners_count":19278060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-sql","iam-authentication"],"created_at":"2024-09-28T15:09:10.919Z","updated_at":"2025-10-20T01:30:17.895Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Python","readme":"# :warning: NOTE\n\nCloud SQL for MySQL 8.0+ has support for [Group IAM Authentication][group-iam-auth]. \nWe recommend all MySQL 8.0+ customers use this feature instead of the workaround here.\n\nCloud SQL for Postgres will have support for Group IAM Authentication soon.\n\nSee the [public docs][group-iam-auth] for more info.\n\n[group-iam-auth]: https://cloud.google.com/sql/docs/mysql/iam-authentication#iam-group-auth\n\n# GroupSync: Cloud SQL IAM Database Authentication for Groups\n\n**Note:** This project is experimental and is not an officially supported Google product.\n\nGroupSync is a self-deployed example app that provides support for managing [Cloud SQL IAM Database Authentication](https://cloud.google.com/sql/docs/mysql/authentication) for groups. GroupSync leverages [Cloud Run](https://cloud.google.com/run), [Cloud Scheduler](https://cloud.google.com/scheduler), and the [Cloud SQL Python Connector](https://github.com/googlecloudplatform/cloud-sql-python-connector) to consistently update and sync Cloud SQL instances based on IAM groups. It will create missing database IAM users, GRANT roles to database IAM users based on their IAM groups, and REVOKE roles from database IAM users no longer in IAM groups.\n\n## Supported Databases\nCurrently only the following databases are supported:\n- **MySQL 8.0**\n- **PostgreSQL 15, 14, 13, 12, 11, 10, 9.6**\n\n## Overview\nThe GroupSync example app at an overview is made of Cloud Scheduler Job(s) and Cloud Run instance(s).\n\nThe Cloud Scheduler Job(s) are configured to run on the interval of your choosing (every 10 mins, 1 hour, daily etc.) When ran, the Cloud Scheduler calls a GroupSync Cloud Run service, passing in the configured request body from the scheduler, which contains parameters that tell the service which IAM groups and which Cloud SQL instances to sync and manage.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/basic_architecture.png\" width=\"640\"\u003e\u003c/p\u003e\n\nThe Cloud Run service calls the required Google APIs to get a snapshot of the current IAM group(s) members and the current Cloud SQL instance(s) database users, it then adds any new IAM members who have been added to the IAM group since the last sync as an IAM database user on the corresponding Cloud SQL instances. The Cloud Run service then also verifies or creates a database role within each configured database for each configured IAM group. Mapping each IAM group to a database role, the service can then GRANT/REVOKE this group role with the appropriate database permissions for the IAM group to all the proper IAM database users who are missing it or should not have it based on the members of the IAM group.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/service_overview.png\" width=\"700\"\u003e\u003c/p\u003e\n\n## Deployment\nThere are a few initial setups steps to get the GroupSync example app ready and grant it the permissions needed in order to successfully operate. However, after this setup is complete, minimal configuration is needed in the future.\n\n### Installation\nTo run this example app successfully, please clone this repository to an environment that thas the Google Cloud SDK installed and initialized. [(Install and initialize the Cloud SDK)](https://cloud.google.com/sdk/docs/install)\n\n```\ngit clone https://github.com/GoogleCloudPlatform/cloud-sql-iam-db-authn-groups\n```\n\nStep into the code directory.\n\n```\ncd cloud-sql-iam-db-authn-groups\n```\n\nMake sure the desired Google Cloud project is set. ([Creating a project](https://cloud.google.com/resource-manager/docs/creating-managing-projects))\n\nReplace the following values:\n- `PROJECT_ID`: The Google Cloud project ID.\n```\ngcloud config set project \u003cPROJECT_ID\u003e\n```\n\n### Enabling APIs\nGroupSync requires enabling the following Cloud APIs for a successful deployment and lifecycle.\n - [Cloud Run API](https://console.cloud.google.com/apis/api/run.googleapis.com/overview)\n - [Cloud Scheduler API](https://console.cloud.google.com/apis/api/cloudscheduler.googleapis.com/overview)\n - [Cloud Build API](https://console.cloud.google.com/apis/api/cloudbuild.googleapis.com/overview)\n - [Cloud SQL Admin API](https://console.cloud.google.com/apis/api/sqladmin.googleapis.com/overview)\n - [Admin SDK API](https://console.cloud.google.com/apis/api/admin.googleapis.com/overview)\n - [IAM Service Account Credentials API](https://console.cloud.google.com/apis/api/iamcredentials.googleapis.com/overview)\n\n **Note:** If planning to use GroupSync with a Cloud SQL instance that has a Private IP, the following additional APIs need to be enabled.\n - [Serverless VPC Access API](https://console.cloud.google.com/apis/api/vpcaccess.googleapis.com)\n - [Service Networking API](https://console.cloud.google.com/apis/api/servicenetworking.googleapis.com/overview)\n\n The above APIs and Services can be manually enabled through [APIs and Services](https://console.cloud.google.com/apis/dashboard) in the cloud console or enabled all at once by running one of the below commands.\n\n Enable APIs for use during the service:\n\n ```\n gcloud services enable run.googleapis.com cloudscheduler.googleapis.com cloudbuild.googleapis.com sqladmin.googleapis.com admin.googleapis.com iamcredentials.googleapis.com\n ```\n\n Enable additional APIs if service needs connections to **Private IP** Cloud SQL instances:\n\n ```\n gcloud services enable vpcaccess.googleapis.com servicenetworking.googleapis.com\n ```\n\n### Creating the Service Account\nA service account must be created and granted the proper IAM permissions in order for the GroupSync service to have appropriate credentials and permissions to access APIs, IAM groups and database users.\n\nThe following commands will create a service account and grant it the proper IAM roles and permissions for the GroupSync service to run successfully.\n\nReplace the following values:\n- `SERVICE_ACCOUNT_ID`: The ID (name) for the service account.\n```\ngcloud iam service-accounts create \u003cSERVICE_ACCOUNT_ID\u003e \\\n    --description=\"IAM Groups Authn Service Account\" \\\n    --display-name=\"IAM Database Groups Authentication\"\n```\n\nGrant new service account the following IAM roles and permissions.\n\nReplace the following values:\n- `SERVICE_ACCOUNT_ID`: The ID (name) for the service account.\n- `PROJECT_ID`: The Google Cloud project ID.\n\nCloud Run invoker role for service account to invoke Cloud Run and make authenticated calls from Cloud Scheduler.\n```\ngcloud projects add-iam-policy-binding \u003cPROJECT_ID\u003e \\\n    --member=\"serviceAccount:\u003cSERVICE_ACCOUNT_ID\u003e@\u003cPROJECT_ID\u003e.iam.gserviceaccount.com\" \\\n    --role=\"roles/run.invoker\"\n```\n\nCreate a custom IAM role with only permissions needed for service to run smoothly. Permissions include Cloud SQL permissions to access instances and database users, as well as a single IAM permission to generate proper OAuth2 credentials within service for accessing IAM group members.\n```\ngcloud iam roles create IamAuthnGroups \\\n    --project=\u003cPROJECT_ID\u003e \\\n    --title=\"IAM Groups Authn\" \\\n    --description=\"Custom role for IAM DB Authn for Groups Service\" \\\n    --permissions=cloudsql.instances.connect,cloudsql.instances.get,cloudsql.instances.login,cloudsql.users.create,cloudsql.users.list,iam.serviceAccounts.signBlob\n```\n\nNow grant the custom IAM role to the service account.\n```\ngcloud projects add-iam-policy-binding \u003cPROJECT_ID\u003e \\\n    --member=\"serviceAccount:\u003cSERVICE_ACCOUNT_ID\u003e@\u003cPROJECT_ID\u003e.iam.gserviceaccount.com\" \\\n    --role=\"projects/\u003cPROJECT_ID\u003e/roles/IamAuthnGroups\"\n```\n\n#### Assigning Group Administrator Role to Service Account\nTo properly allow read-access of an organization's IAM group members (i.e. which IAM users belong within a specific IAM group) within the GroupSync service, we need to assign the Google Workspace Group Administrator Role to the service account created above. This will allow the service account to properly call the [List Members Discovery API](https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list) to keep track of the IAM members being managed through this service.\n\nTo assign the Group Administator Role to the service account follow these four quick steps. ([How to Assign Group Administrator Role](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd))\n\n### Configuring IAM Groups\nThere is one step required for configuring IAM groups to be able to sync successfully with Cloud SQL instances. Each IAM group requires an IAM policy binding to allow it's IAM users to inherit the ability to connect and login to Cloud SQL instances when added as database users.\n\nAdd the required __Cloud SQL Instance User__ IAM policy binding through the following command or manually through the [Cloud Console](https://console.cloud.google.com/iam-admin/iam) by adding the __IAM group's email__ as the principal and selecting the __\"Cloud SQL Instance User\"__ role.\n\nReplace the following values:\n- `PROJECT_ID`: The Google Cloud project ID.\n- `IAM_GROUP_EMAIL`: The email address associated with the IAM group.\n\n```\ngcloud projects add-iam-policy-binding \u003cPROJECT_ID\u003e \\\n    --member=\"group:\u003cIAM_GROUP_EMAIL\u003e\" \\\n    --role=\"roles/cloudsql.instanceUser\"\n```\n\n**NOTE**: The above command is required for each IAM group and the binding is added at the project level. Therefore, if an IAM group is being synced with Cloud SQL instances across several different projects, the command will need to be run for each project.\n\n### Configuring Cloud SQL Instances\nGroupSync requires Cloud SQL instances to be already created and to have the `cloudsql_iam_authentication` flag turned **On**. [(See how to enable flag here.)](https://cloud.google.com/sql/docs/mysql/create-edit-iam-instances)\n\n#### Create a database user for service\nTo properly manage the database users on each Cloud SQL instance that is configured with GroupSync, the service needs to GRANT/REVOKE database users the proper role(s) corresponding to their IAM group(s). This is achieved by creating an IAM database authenticated service account user on each instance using the service account previously created. This will allow the service account to authenticate to the instance(s) while running the GroupSync service through the [Cloud SQL Python Connector](https://github.com/GoogleCloudPlatform/cloud-sql-python-connector).\n\nAdd the service account as an IAM authenticated database user on each Cloud SQL instance that needs managing through IAM groups. Can be done both manually through the Google Cloud Console or through the following `gcloud` command.\n\nReplace the following values:\n- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account. (**NOTE**: For Postgres instances, remove the `.gserviceaccount.com` suffix from service account email.)\n- `INSTANCE_NAME`: The name of a Cloud SQL instance.\n```\ngcloud sql users create \u003cSERVICE_ACCOUNT_EMAIL\u003e \\\n--instance=\u003cINSTANCE_NAME\u003e \\\n--type=cloud_iam_service_account\n```\n\n#### Granting Database Permissions to the Service Account's Database User\nFor GroupSync to run smoothly it needs the IAM service account database user to be granted several permissions on all Cloud SQL instances that the user was added to above. This allows for the GroupSync service to read usernames of other database users and GRANT/REVOKE the group role(s) appropriately.\n\nConnect to all Cloud SQL instances in question with an admin user or another database user with appropriate permissions for the following commands. ([Connecting to an Instance](https://cloud.google.com/sql/docs/mysql/connect-overview))\n\nOnce connected, grant the service account IAM database user the following permissions:\n\n#### MySQL Instance\nReplace the following values in the below commands:\n- `SERVICE_ACCOUNT_ID`: The ID (name) for the service account (everything before the **@** portion of email)\nAllow the service account to read database users and their roles.\n```\nGRANT SELECT ON mysql.role_edges TO '\u003cSERVICE_ACCOUNT_ID\u003e';I\n```\n\nAllow the service account to **CREATE** group roles for IAM groups if they are missing.\n```\nGRANT CREATE ROLE ON *.* TO '\u003cSERVICE_ACCOUNT_ID\u003e';\n```\n\nAllow the service account to **GRANT/REVOKE** roles to users through being a **ROLE_ADMIN**.\n```\nGRANT ROLE_ADMIN ON *.* TO '\u003cSERVICE_ACCOUNT_ID\u003e';\n```\n\n#### PostgreSQL Instance\nPostgres allows a role or user to easily be granted the appropriate permissions for **CREATE**, and **GRANT/REVOKE** that are needed for creating and managing the group roles for IAM groups with one single command.\n\nReplace the following values:\n- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account with the `.gserviceaccount.com` suffix removed.\n```\nALTER ROLE \"\u003cSERVICE_ACCOUNT_EMAIL\u003e\" WITH CREATEROLE;\n```\n\n## Deploying to Cloud Run\nTo build and deploy the service to Cloud Run, run the following commands:\n\nBuild the container image for the service using Cloud Build:\n\nReplace the following values:\n- `PROJECT_ID`: The Google Cloud project ID.\n```\ngcloud builds submit \\\n  --tag gcr.io/\u003cPROJECT_ID\u003e/iam-db-authn-groups \\\n  --project \u003cPROJECT_ID\u003e\n```\n\nDeploy Cloud Run Service from container image:\n\nReplace the following values:\n- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account created above.\n- `PROJECT_ID`: The Google Cloud project ID.\n```\ngcloud run deploy iam-db-authn-groups \\\n  --image gcr.io/\u003cPROJECT_ID\u003e/iam-db-authn-groups \\\n  --no-allow-unauthenticated \\\n  --service-account \u003cSERVICE_ACCOUNT_EMAIL\u003e \\\n  --project \u003cPROJECT_ID\u003e\n```\n\nYou should now successfully have a Cloud Run service deployed under the name `iam-db-authn-groups`. The service URL should be outputted from the `gcloud` command above but can also be found in the [Cloud Console](https://console.cloud.google.com/run).\n\n## Configuring Cloud Scheduler\nCloud Scheduler can be used to invoke the Cloud Run service on a timely interval and constantly sync the Cloud SQL instance database users and appropriate database permissions with the given IAM groups. Cloud Scheduler is used to manage and configure multiple mappings between different **Cloud SQL Instances** and **IAM groups** while only needing a single Cloud Run service (for public IP connections).\n\n### Configuring Your Payload\nEach Cloud Scheduler Job requires a JSON payload to tell it which IAM Groups and Cloud SQL instances to sync, and an optional flag to toggle between public or private IP database connections (defaults to public IP).\n\nAn example JSON payload:\n```\n{\n    \"iam_groups\": [\"group@test.com\", \"group2@test.com\"],\n    \"sql_instances\": [\"project:region:instance\"],\n    \"group_roles\": {\n        \"group@test.com\": \"engineering\",\n        \"group2@test.com\": \"accounting\"\n    },\n    \"private_ip\": false\n}\n```\nWhere:\n- **iam_groups**: List of all IAM Groups to manage IAM database users of.\n- **sql_instances**: List of all Cloud SQL instances to configure.\n- **group_roles**(optional): Dictionary of IAM group emails as keys and group database\n    role names as values. The group database role name is the database role\n    that will be granted/revoked within GroupSync to each member of the\n    corresponding IAM group. Group role names default to the IAM group email\n    without the domain (everything before the @, i.e \"iam-group@test.com\"\n    would have a default group role name of \"iam-group\".\n- **private_ip** (optional): Boolean flag for private or public IP addresses.\n\n**Note:** These are placeholder values and should be replaced with proper IAM groups and Cloud SQL instance connection names.\n\nThere is an additional optional parameter `\"log_level\"` for the JSON payload which can be set to one of `\"INFO\"`, `\"DEBUG\"`, `\"WARNING\"`, or `\"ERROR\"` to change severity of outputted logs. Defaults to `\"INFO\"` when not specified.\n\nIt is recommended to save your JSON payload as a `.json` file (ex. \"config.json\").\n\n### Creating a Cloud Scheduler Job\nAn example command creating a Cloud Scheduler job to call the Cloud Run service to sync IAM groups and Cloud SQL instances can be seen below.\n\n**NOTE:** If error occurs mentioning \"...does not contain App Engine application\", simply run `gcloud app create` and try running command again.\n\nReplace the following values:\n- `JOB_NAME`: The name for the Cloud Scheduler job.\n- `SERVICE_URL`: The service URL of the Cloud Run service.\n- `SERVICE_ACCOUNT_EMAIL`: The email address for the service account created above.\n- `PATH_TO_PAYLOAD`: Path to payload JSON file.\n```\ngcloud scheduler jobs create http \\\n    \u003cJOB_NAME\u003e \\\n    --schedule=\"*/10 * * * *\" \\\n    --uri=\"\u003cSERVICE_URL\u003e/run\" \\\n    --oidc-service-account-email=\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\" \\\n    --http-method=\"PUT\" \\\n    --headers=Content-Type=\"application/json\" \\\n    --message-body-from-file=\"\u003cPATH_TO_PAYLOAD\u003e\"\n```\n\nThe `--schedule` flag is what controls how often the Cloud Scheduler job will trigger the Cloud Run service endpoint. It is currently defaulted to `*/10 * * * *` which will cause it to trigger every 10 minutes. See [Configuring Cron Job Schedules](https://cloud.google.com/scheduler/docs/configuring/cron-job-schedules) on how to format the schedule for different time intervals or [Cron Guru](https://crontab.guru/) to play around with schedule formats.\n\nThe payload for the PUT request to the Cloud Run service can also be configured for Cloud Scheduler directly through a command line flag by switching out the `--message-body-from-file` flag for the flag `--message-body` from the command above above as follows.\n```\n--message-body=\"{\"iam_groups\": [\"group@test.com\", \"group2@test.com\"], \"sql_instances\": [\"project:region:instance\"], \"private_ip\": false}\"\n```\n\nTo learn more about the different Cloud Scheduler flags, read the [official documentation](https://cloud.google.com/sdk/gcloud/reference/scheduler/jobs/create/http).\n\n## Granting Database Permissions to IAM Group Database Roles\nThe Cloud Run service maps each IAM group configured in the JSON payload into a [database role](https://dev.mysql.com/doc/refman/8.0/en/roles.html) on each Cloud SQL instance configured. This database role is then granted to the proper database users that belong to the IAM group, giving them the appropriate database privileges for the IAM group.\n\nThe name of the mapped IAM group database role is the email of the IAM group without everything after and including the **\"@\"** sign of the IAM group email.\n(Ex. IAM group with email \"example-group@test.com\", would map to a database role **\"example-group\"** on each Cloud SQL instance it is configured with.)\n\nThe Cloud Run service verifies that a group role exists or creates one on the database if it does not exist. It is recommended to configure the Cloud Scheduler job(s) and after having it triggered **at least** once, have a Database Administrator or project admin verify the creation of the group roles and **GRANT** the group roles the appropriate privileges on each Cloud SQL instance that should be inherited by database users of those IAM groups on all consecutive Cloud Scheduler runs.\n\nTo verify the creation of group roles after Cloud Scheduler has triggered at least once, the following command can be run for **MySQL** instances (**PostgreSQL** instances require connecting to the database to verify):\n\nReplace the following values:\n- `INSTANCE_NAME`: The name of a Cloud SQL instance that was configured in the Cloud Scheduler JSON payload.\n```\ngcloud sql users list --instance=\u003cINSTANCE_NAME\u003e\n```\nThe above command should return a list of all database users on the configured instance, with the **new** group role(s) showing up within the list.\n\n**NOTE:** It is up to a Database Administrator or project admin to configure the proper privileges on each group role. GroupSync will then be able to grant or revoke each group role with privileges to the proper database users.\n\n## Running Service with Private IP Cloud SQL Connections\nGroupSync does work for Private IP database connections however, there are some additional configurations needed and some limitations to mention.\n\nTo run the GroupSync service with Private IP, first make sure all Cloud SQL instances that are going to be connected to have a Private IP address configured. ([Configure Private IP for Cloud SQL](https://cloud.google.com/sql/docs/mysql/configure-private-ip))\n\nPrivate IP Cloud SQL instance(s) should be connected to a [VPC Network](https://cloud.google.com/vpc/docs/using-vpc) which can be accessed securely via Cloud Run using [Serverless VPC Access](https://console.cloud.google.com/networking/connectors) which creates a VPC Connector.\n\nThie VPC Connector can be attached to the Cloud Run service previously created to allow Private IP connections to the Cloud SQL instances on the **same VPC Network**.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/private_ip_architecture.png\" width=\"640\"\u003e\u003c/p\u003e\n\nUpdate the Cloud Run service with a VPC Connector.\n\nReplace the following values:\n- `CONNECTOR_NAME`: The name for the VPC Connector on the same VPC network as the Cloud SQL instance(s) with Private IP addresses.\n```\ngcloud run services update iam-db-authn-groups --vpc-connector \u003cCONNECTOR_NAME\u003e\n```\n\n**NOTE:** Private IP connections require that the Cloud SQL instance and the Cloud Run service be connected to the same VPC Network to work correctly.\n\n## Custom Configurations\nMultiple different Cloud Scheduler and Cloud Run configurations can be configured depending on the Cloud SQL instance to IAM Group mappings required along with the IP address types being used to connect to instances.\n\nA Cloud Scheduler job maps which IAM group(s) and hence which IAM users to manage permissions for any given Cloud SQL instance(s). When configuring a Cloud Scheduler job, all IAM groups listed in the JSON body will be mapped to all Cloud SQL instances in the JSON body. Therefore, for custom configurations where certain IAM groups need to be mapped to one instance, and other IAM groups to a different Cloud SQL instance, the solution is to deploy multiple Cloud Scheduler jobs.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/custom_config.png\" width=\"700\"\u003e\u003c/p\u003e\n\nA single Cloud Run service can be used for multiple Cloud Scheduler jobs across an organization's different Google Cloud projects as long as they allow Public IP connections.\n\n### Private IP Configurations\n**NOTE:** For custom configurations with Private IP connections, multiple Cloud Run services may be required. Since Private IP configurations require the Cloud Run service and Cloud SQL instances to be connected to the same VPC network, thus for different projects with different VPC networks, a different Cloud Run service will be needed for each.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/private_custom_config.png\" width=\"640\"\u003e\u003c/p\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fcloud-sql-iam-db-authn-groups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Fcloud-sql-iam-db-authn-groups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fcloud-sql-iam-db-authn-groups/lists"}