CloudSQL - MySQL

Create an integration to manage access to Cloud SQL MySQL databases

Overview

MySQL is a reliable and secure open-source relational database system. It serves as the main data store for various applications, websites, and products. This includes mission-critical applications and dynamic websites. With Cloud SQL, users benefit from Google Cloud's robust infrastructure, which ensures high availability, security, and scalability for their databases.

Through this integration, Apono helps you securely manage access to your Cloud SQL MySQL databases.



Prerequisites

ItemDescription
Apono ConnectorOn-prem connection serving as a bridge between your Google Cloud SQL MySQL databases and Apono

Minimum Required Version: 1.4.1

Use the following steps to update an existing connector.
Cloud SQL Admin APIAPI for managing database instances with resources, such as BackupRuns, Databases, and Instances
Cloud SQL Admin Role(Cloud IAM authentication only) Google Cloud role that the Apono connector's service user must have at the instance's project or organization level


Create a MySQL user

You must create a user in your MySQL instance for the Apono connector and grant that user permissions to your databases. You can use either the Built-in authentication or Cloud IAM authentication.


Built-in Authentication

Use the following steps to create a user and grant it permissions:

  1. In the Google Cloud console, create a new user with Built-in authentication. Use apono_connector for the username. Be sure to set a strong password for the user.

    💡

    As an alternative, you can run the following common from your MySQL client:

    CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';


  1. In your preferred client tool, expose databases to the user. This allows Apono to view database names without accessing the contents of each database.

    GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';
    
  2. Grant the user database permissions.

    The following commands grant Apono the following permissions:

    • Creating users
    • Updating user information and privileges
    • Monitoring and troubleshooting processes running on the database
    GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
    GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
    GRANT PROCESS ON *.* TO 'apono_connector'@'%';
    
  3. Grant the user only one of the following sets of permissions. The chosen set defines the highest level of permissions to provision with Apono.

    Expand each of the following options to reveal the SQL commands:

    READ_ONLY: Allows Apono to read data from databases
    GRANT SELECT ON *.* TO 'apono_connector'@'%';
    GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
    

    READ_WRITE: Allows Apono to read and modify data
    GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE,REFERENCES ON *.* TO 'apono_connector'@'%';
    GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
    
    

    ADMIN: Allows Apono administrative-level access, including the ability to execute and drop tables
    GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE,REFERENCES ON *.* TO 'apono_connector'@'%';
    GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';
    
    


  1. (MySQL 8.0+) Grant the user the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.
    GRANT ROLE_ADMIN on *.* to 'apono_connector';
    
  2. Create a secret with the credentials from step 1 above.

You can now integrate Google Cloud SQL - MySQL.



Cloud IAM Authentication

When using Cloud IAM authentication, the service account and its permissions are managed through Google Cloud IAM roles and policies. The service account is used to authenticate to the Cloud SQL instance.

⚠️

Be sure that the service account has the Cloud SQL Admin role.


Use the following step to configure Cloud IAM authentication:

  1. In the Google Cloud console, create a new user with Cloud IAM authentication. Use apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com for the Principal.

You can now integrate Google Cloud SQL - MySQL.



Integrate Google Cloud SQL - MySQL

Use the following steps to complete the integration:

  1. On the Catalog tab, click Google Cloud SQL - MySQL. The Connect Google Cloud SQL - MySQL page appears.
  2. From the dropdown menu, select a connector.

    💡

    If the desired connector is not listed, click + Add new connector and follow the instructions for creating a GCP connector.

  3. Click Next. The Complete setup page appears.
  4. Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify this integration when constructing an Access Flow.
  5. Select the Auth Type for the MySQL service account user.
    Option Description
    IAM Auth Cloud IAM authentication
    User / Password Built-in authentication

  6. Enter the Project ID where MySQL is deployed.
  7. Enter only one Region where the MySQL instance is deployed.
  8. Enter the Instance ID for the MySQL instance.
  9. (User/Password only) Under Secret Store, associate the Google Secret Store secret.

    ℹ️

    A secret is not needed or Cloud IAM authentication.

  10. Click Connect.

Now that you have completed this integration, you can create access flow that grant permission to your Google Cloud SQL MySQL database.