I'm trying to follow the docs for setting up the IAM postgres integration with cloudsql: https://cloud.google.com/sql/docs/postgres/create-manage-iam-users#grant-db-privileges
But this is tripping me up. I create a user like this: gcloud alpha sql users create [email protected] --instance=myserver --type=cloud_iam_service_account --project myproject
I can login as the user, but this postgres users has like super user levels of access. I can connect to any DB and perform CRUD on any DB. The docs seem to imply this should not be: Before a user or service account can connect to a database or run queries against it, they need to be granted privileges for that database
Apparently not because as soon as I created that cloud_iam_service_account
user it could do pretty much anything.
It looks like the users are added to the cloudsqliamserviceaccount
postgres group. If I remove them from that group IAM integration is turned off and they can't login.
How am I supposed to control access for these IAM users in postgres? I only want them to have access to their own specific databases.
When I do a \l
under Access privileges
I see no explicit grants for the IAM user or the cloudsqliamserviceaccount
role so not sure where it is getting this permission. The cloudsqliamserviceaccount
role is also not a member of any other role.
How do I even see where these privileges for these users are coming from?