Create an integration to manage access to an AlloyDB instance
AlloyDB is a fully managed PostgreSQL-compatible database service on Google Cloud. It offers high performance, scalability, and reliability for demanding enterprise workloads.
Through this integration, Apono helps you securely manage access to your AlloyDB instance.
Item | Description |
---|---|
Use the following tabs to assign roles to the Apono connector for either your Google Project or Google Organization.
Follow these steps to assign roles to the Apono connector:
In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Assign roles to the connector.
Follow these steps to assign roles to the Apono connector:
In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Assign roles to the connector.
You must create a user in your AlloyDB instance for the Apono connector and grant that user permissions.
Use the following steps to create a user for the Apono connector and grant it permissions:
Create a new user and grant permissions with either Built-in Authentication or IAM Authentication.
Run the following commands from your PostgreSQL client.
Run the following command to grant superuser privileges to the Apono connector user.
(Built-in Authentication only) Create a secret with the credentials from step 1.
When using IAM authentication, the service account and its permissions are managed through Google Cloud IAM roles and policies.
A secret does not need to be created.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click AlloyDB. The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in the instance.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector for GCP.
Click Next. The Integration Config page appears.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your AlloyDB instance.
In the Google Cloud console, enable IAM authentication for your AlloyDB instance by setting the alloydb.iam_authentication flag to on.
Setting | Description |
---|---|
Setting | Description |
---|---|
Apono Connector
On-prem connection serving as a bridge between your Google Cloud SQL MySQL databases and Apono
Minimum Required Version: 1.6.4
Use the following steps to update an existing connector.
Allow Connector IP Access
Allows the Apono connector to communicate with the AlloyDB instance
You must allow the connector IP range in the AlloyDB primary instance's IP allow list.
API Services
API services that must enabled:
AlloyDB API
Compute Engine API
Service Networking API
See Enabling and Disabling Services for more information.
AlloyDB Information
Identifiers for AlloyDB resources:
Primary Instance ID
Cluster ID
See View instance details to learn how to obtain these identifiers.
Credential Rotation
(Optional) When Auth Type is set to User / Password, number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources
Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.
To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found
Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource
Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Authorization type for the AlloyDB user
Option
Description
User / Password
Apono-created local user credentials
IAM Authentication
Cloud IAM authentication
Project ID
ID of the project associated with the AlloyDB instance
Location
Location of the AlloyDB instance
Primary Instance ID
ID for the primary instance within the AlloyDB cluster
Cluster ID
ID for the AlloyDB cluster
Port
Port value for the database
By default, Apono sets this value to 5432.
Instance ID User Override (optional)
Overrides the instance ID for the user
Database Name
Name of the database to integrate
By default, Apono sets this value to postgre.
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
Be sure to choose the SSL mode based on your AlloyDB primary instance SSL mode configuration.
Option
Description
require
An SSL-encrypted connection must be used.
allow
An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable
An unencrypted connection is used.
prefer
An SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca
An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full
An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
Additionally, the server hostname is checked against the certificate's names.
Option
Description
User / Password
Apono-created local user credentials
IAM Authentication
Cloud IAM authentication
Option
Description
require
An SSL-encrypted connection must be used.
allow
An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable
An unencrypted connection is used.
prefer
An SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca
An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full
An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
Additionally, the server hostname is checked against the certificate's names.