How to use cloud-sql-proxy manually using --login-token, --token and --auto-iam-authn?

Question

Even though the user (not a service account) already have the Cloud SQL Client roles/cloudsql.client and Cloud SQL Instance User roles/cloudsql.instanceUser, the IAM account is added to the database instance (which is the user email), when using cloud-sql-proxy fails with

FATAL: empty password returned by client

The current command is:

docker run --rm --network=host gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.1 --address 0.0.0.0 --port 5432 --token=$(gcloud auth print-access-token) $(gcloud sql instances describe MY_INSTANCE --format='value(connectionName)')

The log says:

2023/09/15 18:53:56 Authorizing with OAuth2 token
2023/09/15 18:53:57 [MY_ORG:us-central1:MY_INSTANCE] Listening on [::]:5432
2023/09/15 18:53:57 The proxy has started successfully and is ready for new connections!

It connects but gives the FATAL error described before. What is the correct command for it to work?

Answer 1

The proper way to do this is by providing 2 additional parameters to the docker run arguments:

docker run --rm --network=host gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.1 \
  --address 0.0.0.0 \
  --port 5432 \
  --token=$(gcloud auth print-access-token) \
  --login-token=$(gcloud sql generate-login-token) \
  --auto-iam-authn \
  $(gcloud sql instances describe MY_INSTANCE --format='value(connectionName)')

You can now connect to it without using any password. Just connect to localhost:5432 and you should be able to access.