Hello,
We have a mature developer platform where everything is defined as code, and deployed through automated pipelines. We are about to adopt Postgres, and it seems like defining granular IAM permissions as code is only possible to do at the instance level, not at the database / schema level.
We would like to minimize the amount of instances that we employ due to costs, but now we are struggling to find ways to grant service accounts POLP privileges to databases within an instance.
Does anyone have a good solution for this? At the moment the best idea we have come up with is to use a tool called flyway to implement the roles via CI. For us, the ideal solution would be for configconnector / terraform to support access management at the database level, not just at the instance level.
Managing granular IAM permissions in Google Cloud SQL, specifically for PostgreSQL, can be challenging due to Cloud SQL's current IAM capabilities being limited to instance-level permissions. However, several strategies and tools can help you achieve the principle of least privilege (POLP) within your databases while maintaining a code-defined, automated deployment process.
SQL Roles and Grants:
External Tools:
Database User Management Services:
Advanced IAM with VPC Service Controls:
Custom Automation Scripts:
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |