Skip to content

Commit a7afdc7

Browse files
jackwotherspoonjackwotherspoon
authored
chore: Update README with IAM group policy binding. (#46)
* add iam group binding to readme
1 parent 18e3d42 commit a7afdc7

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

README.md

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ Make sure the desired Google Cloud project is set. ([Creating a project](https:/
3838
Replace the following values:
3939
- `PROJECT_ID`: The Google Cloud project ID.
4040
```
41-
gcloud config set project PROJECT_ID
41+
gcloud config set project <PROJECT_ID>
4242
```
4343

4444
### Enabling APIs
@@ -115,6 +115,23 @@ To properly allow read-access of an organization's IAM group members (i.e. which
115115

116116
To assign the Group Administator Role to the service account follow these four quick steps. ([How to Assign Group Administrator Role](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd))
117117

118+
### Configuring IAM Groups
119+
There is one step required for configuring IAM groups to be able to sync successfully with Cloud SQL instances. Each IAM group requires an IAM policy binding to allow it's IAM users to inherit the ability to connect and login to Cloud SQL instances when added as database users.
120+
121+
Add the required __Cloud SQL Instance User__ IAM policy binding through the following command or manually through the [Cloud Console](https://console.cloud.google.com/iam-admin/iam) by adding the __IAM group's email__ as the principal and selecting the __"Cloud SQL Instance User"__ role.
122+
123+
Replace the following values:
124+
- `PROJECT_ID`: The Google Cloud project ID.
125+
- `IAM_GROUP_EMAIL`: The email address associated with the IAM group.
126+
127+
```
128+
gcloud projects add-iam-policy-binding <PROJECT_ID> \
129+
--member="group:<IAM_GROUP_EMAIL>" \
130+
--role="roles/cloudsql.instanceUser"
131+
```
132+
133+
**NOTE**: The above command is required for each IAM group and the binding is added at the project level. Therefore, if an IAM group is being synced with Cloud SQL instances across several different projects, the command will need to be run for each project.
134+
118135
### Configuring Cloud SQL Instances
119136
This service requires Cloud SQL instances to be already created and to have the `cloudsql_iam_authentication` flag turned **On**. [(See how to enable flag here.)](https://cloud.google.com/sql/docs/mysql/create-edit-iam-instances)
120137

0 commit comments

Comments
 (0)