docs/pages/enroll-resources/database-access/enrollment/google-cloud/postgres-cloudsql.mdx
(!docs/pages/includes/database-access/db-introduction.mdx dbType="PostgreSQL on Google Cloud SQL" dbConfigure="with a service account"!)
(!docs/pages/includes/database-access/how-it-works/iam.mdx db="PostgreSQL" cloud="Google Cloud"!)
<Tabs> <TabItem label="Self-Hosted">  </TabItem> <TabItem label="Cloud-Hosted">  </TabItem> </Tabs>(!docs/pages/includes/edition-prereqs-tabs.mdx!)
psql installed and added to your system's PATH environment variable.(!docs/pages/includes/database-access/cloudsql-create-service-account-for-db-service.mdx!)
(!docs/pages/includes/database-access/cloudsql_grant_db_service_account.mdx!)
Teleport uses service accounts to connect to Cloud SQL databases.
(!docs/pages/includes/database-access/cloudsql_create_db_user_account.mdx!)
(!docs/pages/includes/database-access/cloudsql_grant_db_user.mdx!)
(!docs/pages/includes/database-access/cloudsql-grant-impersonation.mdx!)
Teleport uses IAM database authentication with Cloud SQL PostgreSQL instances.
(!docs/pages/includes/database-access/cloudsql_enable_iam_auth.mdx type="PostgreSQL"!)
Now go back to the Users page of your Cloud SQL instance and add a new user account. In the sidebar, choose "Cloud IAM" authentication type and add the "cloudsql-user" service account that you created in the second step:
Press "Add" and your Users table should look similar to this:
See Creating and managing IAM users in Google Cloud documentation for more info.
(!docs/pages/includes/install-linux.mdx!)
(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)
(!docs/pages/includes/database-access/cloudsql_download_root_ca.mdx!)
(!docs/pages/includes/database-access/cloudsql-configure-create.mdx dbPort="5432" dbProtocol="postgres" token="/tmp/token"!)
(!docs/pages/includes/database-access/cloudsql_service_credentials.mdx serviceAccount="teleport-db-service"!)
(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)
(!docs/pages/includes/database-access/create-user.mdx!)
Once the Database Service has joined the cluster, log in to see the available databases:
<Tabs> <TabItem label="Self-Hosted">$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name Description Labels
# -------- ------------------------ --------
# cloudsql GCP Cloud SQL PostgreSQL env=dev
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name Description Labels
# -------- ------------------------ --------
# cloudsql GCP Cloud SQL PostgreSQL env=dev
<Admonition type="note"
You will only be able to see databases that your Teleport role has access to. See our RBAC guide for more details. </Admonition>
When connecting to the database, use the name of the database's service account that you added as an IAM database user above, minus the ".gserviceaccount.com" suffix. The database user name is shown on the Users page of your Cloud SQL instance. Retrieve credentials for the "cloudsql" example database and connect to it, assigning <Var name="project-id" /> to your Google Cloud project ID:
$ tsh db connect --db-user=cloudsql-user@<Var name="project-id"/>.iam --db-name=postgres cloudsql
(!docs/pages/includes/database-access/db-access-webui-ad.mdx dbType="PostgreSQL"!)
To log out of the database and remove credentials:
# Remove credentials for a particular database instance:
$ tsh db logout cloudsql
# Or remove credentials for all databases:
$ tsh db logout
(!docs/pages/includes/database-access/gcp-troubleshooting.mdx!)
(!docs/pages/includes/database-access/pg-cancel-request-limitation.mdx!)
(!docs/pages/includes/database-access/psql-ssl-syscall-error.mdx!)
(!docs/pages/includes/database-access/guides-next-steps.mdx!)