Error binding to Cloud SQL instance

[stephen-opal]

Hi there, I receive the following error when I attempt to bind to a Cloud SQL instance:

$ vault write gcp/roleset/my-token-roleset \
    project="test-project-2" \
    secret_type="access_token"  \
    token_scopes="https://www.googleapis.com/auth/cloud-platform" \
    bindings=-<<EOF
  resource "//cloudsql.googleapis.com/projects/test-project-2/instances/my-test-db" {
    roles = ["roles/cloudsql.instanceUser"]
  }
EOF
Error writing data to gcp/roleset/my-token-roleset-2: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset-2
Code: 400. Errors:

* invalid resource "//cloudsql.googleapis.com/projects/test-project-2/instances/my-test-db": unsupported service cloudsql for resource projects/instances

Is this unexpected? Or is Cloud SQL simply not supported at the moment? If not, what's the recommended way of using Vault to manage access to Cloud SQL instances?

Thanks so much!

[sa1i]

Same error.
@jasonodonnell @austingebauer can you give us some advices?

thanks!

[austingebauer]

@stephen-opal, @sa1i - I'm having a look at this now. Will get back to you here shortly!

[austingebauer]

Hi @stephen-opal - My apologies for the long delay here. It appears that Cloud SQL is not in the list of resources that can be managed by this secrets engine. I've raised this with my team to look into. We need to regenerate the resources we support to include Cloud SQL.

We do have a feature coming out in an upcoming Vault release that allows for management of Cloud SQL users via Vault's database secrets engine. I think this (GCP secrets engine) use case would be slightly different, but I thought it was worth mentioning if you're looking for a solution.