Create an integration to manage access to Cloud SQL MySQL databases
MySQL is a reliable and secure open-source relational database system. It serves as the main data store for various applications, websites, and products. This includes mission-critical applications and dynamic websites. With Cloud SQL, users benefit from Google Cloud's robust infrastructure, which ensures high availability, security, and scalability for their databases.
Through this integration, Apono helps you securely manage access to your Cloud SQL MySQL databases.
You must create a user in your MySQL instance for the Apono connector and grant that user permissions to your databases.
Follow these steps to create a user and grant it permissions:
In the Google Cloud console, with either Built-in authentication or Cloud IAM authentication.
Use apono_connector for the username.
Be sure to set a strong password for the user.
As an alternative, you can run the following common from your MySQL client:
CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password';
Use apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com for the
In your preferred client tool, expose databases to the user. This allows Apono to view database names without accessing the contents of each database.
Grant the user database permissions. The following commands grant Apono the following permissions:
Creating users
Updating user information and privileges
Monitoring and troubleshooting processes running on the database
Allows Apono to read data from databases
Allows Apono to read and modify data
Allows Apono administrative-level access, including the ability to execute and drop tables
(MySQL 8.0+) Grant the user the authority to manage other roles. This enables Apono to create, alter, and drop roles. However, this role does not inherently grant specific database access permissions.
with the credentials from step 1 above.
You can now .
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Google Cloud SQL - MySQL. The Connect Integration page appears.
Under Discovery, click one or more resource types and cloud services to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that you have completed this integration, you can that grant permission to your Google Cloud SQL MySQL database.
Be sure that the Apono connector GCP service account (apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com) has the Cloud SQL Admin role.
Grant the user only one of the following sets of permissions. The chosen set defines the highest level of permissions to provision with Apono. Click on each tab to reveal the SQL commands.
Option
Description
IAM Auth
Cloud IAM authentication
User / Password
Built-in authentication
Project ID
ID of the project where the MySQL instance is deployed
Region
Location where the MySQL instance is deployed
Instance ID
ID of the MySQL instance
Instance ID User Override
(Optional) Allows overriding the instance ID for the user
Click Next. The Secret Store section expands.
(User/Password only) Associate the secret or credentials.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between your Google Cloud SQL MySQL databases and Apono Minimum Required Version: 1.4.1 Use the following steps to update an existing connector.
Cloud SQL Admin API
API for managing database instances with resources, such as BackupRuns, Databases, and Instances
Cloud SQL Admin Role
(Cloud IAM authentication only) Google Cloud role that the Apono connector's service user must have at the instance's project or organization level
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
Authorization type for the MySQL service account user
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
GRANT SHOW DATABASES ON *.* TO 'apono_connector'@'%';GRANT CREATE USER ON *.* TO 'apono_connector'@'%';
GRANT UPDATE ON mysql.* TO 'apono_connector'@'%';
GRANT PROCESS ON *.* TO 'apono_connector'@'%';GRANT SELECT ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE,REFERENCES ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT EXECUTE,DROP,SELECT,ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,INDEX,INSERT,TRIGGER,UPDATE,REFERENCES ON *.* TO 'apono_connector'@'%';
GRANT GRANT OPTION ON *.* TO 'apono_connector'@'%';GRANT ROLE_ADMIN on *.* to 'apono_connector';Learn how to integrate and manage access to your GCP cloud
If your organization uses Google Cloud Platform (GCP), Apono's GCP integrations can help you securely manage access to your GCP cloud-based services and databases.
By identifying and transforming existing privileges, Apono can shift your cloud management from broad permissions to on-demand access flows.
Through our GCP integrations, Apono enables you to perform the following access tasks:
Limit Access: Discover existing privileges in GCP and convert them to just-in-time Access Flows.
Enable Self-Service Access: Allow developers to request access to GCP services, buckets, and instances via Slack.
Automate Approval Workflows: Create automatic approval processes for sensitive GCP resources.
Restrict Third-Party Access: Grant third-parties (customers or vendors) time-based access to specific services with MFA verification.
Review Access: Audit user cloud access, permissions granted, and reasons for access across GCP.
\
Create an integration to manage access to a GCP organization or project resources
Apono offers GCP users a simple way to centralize cloud management through our platform. Through a single integration, you can manage multiple GCP services across various organizations and projects.
Google BigQuery is a fast, scalable, secure, fully managed data warehouse service in the cloud, serving as a primary data store for vast datasets and analytic workloads.
To add this resource to your Google Project or Organization, you must create a custom role with BigQuery dataset permissions and assign the role to the service account for the Apono connector.
The following instructions in this section use the Google Cloud CLI.
However, you can also through the Google Console, and IAM client library, or the REST API. Additionally, you can to the Apono connector through the Google Console.
Follow these steps to associate the permissions through the Google Cloud CLI:
In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Create the custom role. Be sure to replace the placeholders (<ROLE_ID>, <TITLE>, and <DESCRIPTION>) with actual values of your choosing for the role ID, title, and description of the role.
Using the role ID defined in the previous step, assign the custom role to the Apono connector service account.
To manage and monitor your cloud assets, you must enable the Cloud Asset API.
Follow these steps to enable this API:
In your shell environment, log in to Google Cloud and enable the API.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to integrate Apono with your GCP organization:
On the tab, click GCP. The Connect Integrations Group page appears.
Under Discovery, click Google Organization.
Click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to the roles available in the organization where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .
Click Next. The Integration Config section expands.
Define the Integration Config settings.
After connecting your GCP organization to Apono, you will be redirected to the Connected tab to view your integrations. The new GCP integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can that grant permission to GCP organizational roles.
Follow these steps to integrate Apono with your GCP project:
On the tab, click GCP. The Connect Integrations Group page appears.
Under Discovery, click Google Project.
Click one or more resource types to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to the roles available in the organization where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an .
Click Next. The Integration Config section expands.
Define the Integration Config settings.
After connecting your GCP project to Apono, you will be redirected to the Connected tab to view your integrations. The new GCP integration will initialize once it completes its first data fetch. Upon completion, the integration will be marked Active.
Now that you have completed this integration, you can that grant permission to GCP organizational roles.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between a Google Cloud instance and Apono
Apono Premium
Apono plan providing the most features and dedicated account support
Google User Account
User account with owner permissions
Google Cloud Command Line Interface (Google Cloud CLI)
Command-line interface used to manage Google Cloud resources
Google Cloud Information
Information for your Google Cloud instance associated with the Apono connector Google-defined:
(Organization) Organization ID
User-defined
Service Account Name
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Organization ID
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Project ID
Google Cloud Functions enables you to build and connect cloud services by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.
Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.
With this integration, you can connect your internal applications to Cloud Functions and manage access to those applications with Apono.
Apono currently supports the original version of Google Cloud Functions, 1st Gen.
You can also use the steps below to integrate with Apono using Terraform.
In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Cloud Function Custom Integration. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a .
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Now that you have completed this integration, you can that grant permission to your internal application.
Create an integration to manage access to Kubernetes clusters on Google Cloud
With a Kubernetes cluster in GKE on Google Cloud, GKE handles the complexities of Kubernetes management. Google Cloud provides a reliable, scalable database service.
Through this integration, Apono helps you securely manage access to your Google Cloud Kubernetes cluster.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Google Kubernetes Engine (GKE). The Connect Integration page appears.
Under Discovery, click one or more resource types and cloud services to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Now that you have completed this integration, you can that grant permission to your Google Cloud Kubernetes cluster.
Create an integration to manage access to PostgreSQL instances on Google Cloud SQL
Google Cloud SQL PostgreSQL is a fully managed relational database service built for the cloud. It provides a high-performance, scalable, and highly available PostgreSQL database instance without the overhead of managing infrastructure. With Google Cloud SQL, users benefit from Google Cloud's robust infrastructure, which ensures high availability, security, and scalability for their databases.
Through this integration, Apono helps you securely manage access to your Google Cloud SQL PostgreSQL database instances.
To enable Apono to manage Google Cloud SQL PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.
gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable iam.googleapis.comexport GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>gcloud iam roles create <ROLE_ID> --project=$GCP_PROJECT_ID --title="<TITLE>" --description="<DESCRIPTION>" --permissions=bigquery.datasets.get,bigquery.datasets.update,bigquery.datasets.getIamPolicy,bigquery.datasets.setIamPolicy --stage=ALPHAgcloud iam roles create <ROLE_ID> --organization=$GCP_ORGANIZATION_ID --title="<TITLE>" --description="<DESCRIPTION>" --permissions=bigquery.datasets.get,bigquery.datasets.update,bigquery.datasets.getIamPolicy,bigquery.datasets.setIamPolicy --stage=ALPHAgcloud projects add-iam-policy-binding $GCP_PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" --role="projects/$GCP_PROJECT_ID/roles/<ROLD_ID>"gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" --role="organizations/$GCP_ORGANIZATION_ID/roles/<ROLE_ID>"gcloud auth login
gcloud services enable cloudasset.googleapis.com --project=<GOOGLE_PROJECT_ID>Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Custom Parameters
Key-value pairs to send to the Google Cloud Function For example, you can provide a Google Function with a redirect URL that is used for internal provisioning access and passed as part of the action requests.
Project ID
ID of the project associated with the Cloud Function
Region
Location of the Google Cloud Function instance
Function Name
Name of the Google Cloud Function
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between your Google Function and Apono, deployed with a GCP service account Minimum Required Version: 1.5.3 Use the following steps if you need to update an existing connector.
Cloud Function (1st gen)
Named function set up within Cloud Functions
To allow the Apono connector to call the Cloud Function, add the Cloud Functions Invoke and Cloud Functions Viewer roles to the apono-connector service account apono-connector-iam-sa for that Cloud Function.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Access Details
Instructions for accessing this integrations's resources
Certificate Authority
(Optional) Ensures that the Kubernetes API server you are communicating with is trusted and authentic Leave this field blank to connect the cluster where the Apono connector is deployed.
Project ID
(Optional) ID of the GCP project where the cluster is deployed
Region
(Optional) Location where the cluster is deployed
Cluster Name
(Optional) Name of the cluster to connect The cluster name should be the same as it appears in GKE.
Click Next. The Secret Store section expands.
(User/Password only) Associate the secret or credentials.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection installed on the GKE cluster that serves as a bridge between a Kubernetes cluster and Apono
Kubernetes Engine Cluster Role
Google Cloud role that grants the Apono connector's service account access to retrieve and list GKE clusters Apono does not require admin permissions to the Kubernetes environment.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) URL of the server where the cluster is deployed Leave this field blank to connect the cluster where the Apono connector is deployed.
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about .
Apono Connector
On-prem serving as a bridge between your Google Cloud PostgreSQL databases and Apono Minimum Required Version: 1.4.1 Use the following steps to .
Cloud SQL Admin API
for managing database instances with resources, such as BackupRuns, Databases, and Instances
Cloud SQL Admin Role
(Cloud IAM authentication only) Google Cloud role that the Apono connector's service user must have at the instance's project or organization level
PostgreSQL Info
Information for the database instance to be integrated:
You must create a user in your PostgreSQL instance for the Apono connector and grant that user permissions to your databases.
You must use the admin account and password to connect to your database.
Following these steps to create a user and grant it permissions:
In the Google Cloud console, create a new user with either Built-in authentication or Cloud IAM authentication.
Use apono_connector for the username.
This authentication method grants the user the cloudsqlsuperuser role. Be sure to set a strong password for the user.
As an alternative, you can run the following command from your Postgre client:
CREATE USER 'apono_connector'@'%' IDENTIFIED BY 'password'
Use apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com for the Principal.
This authentication method does not grant the user account database privileges.
Be sure that the Apono connector GCP service account (apono-connector-iam-sa@[PROJECT_ID].iam.gserviceaccount.com) has the Cloud SQL Admin role.
(Cloud IAM only) In your preferred client tool, grant cloudsqlsuperuser access to the user account.
In your preferred client tool, grant the cloudsqlsuperuser role privileges on all databases except template0 and cloudsqladmin.
This allows Apono to perform tasks that are not restricted to a single schema or object within the database, such as creating, altering, and dropping database objects.
For each database to be managed through Apono, connect to the database and grant cloudsqlsuperuser privileges on all objects in the schemas.
This allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.
Connect to the template1 database and grant cloudsqlsuperuser privileges on all objects in the schemas.
For any new databases created in the future, this allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.
(Built-in authentication only) Create a secret with the credentials from step 1.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click Google Cloud SQL - PostgreSQL. The Connect Integration page appears.
Under Discovery, click one or more resource types and cloud services to sync with Apono.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a GCP connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Click Next. The Secret Store section expands.
(User/Password only) .
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the .
User cleanup after access is revoked (in days)
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your Google Cloud SQL PostgreSQL instance.
Create an integration to manage access to an AlloyDB instance
AlloyDB is a fully managed PostgreSQL-compatible database service on Google Cloud. It offers high performance, scalability, and reliability for demanding enterprise workloads.
Through this integration, Apono helps you securely manage access to your AlloyDB instance.
Use the following tabs to assign roles to the Apono connector for either your or .
Follow these steps to assign roles to the Apono connector:
In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Assign roles to the connector.
You must create a user in your AlloyDB instance for the Apono connector and grant that user permissions.
Use the following steps to create a user for the Apono connector and grant it permissions:
Create a new user and grant permissions with either or .
Run the following commands from your PostgreSQL client.
In the Google Cloud console, enable IAM authentication for your AlloyDB instance by setting the alloydb.iam_authentication flag to on.
Run the following command to grant superuser privileges to the Apono connector user.
(Built-in Authentication only) with the credentials from step 1.
When using IAM authentication, the service account and its permissions are managed through Google Cloud IAM roles and policies.
A secret does not need to be created.
You can also use the steps below to integrate with Apono using Terraform.
In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click AlloyDB. The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in the instance.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a .
Click Next. The Integration Config page appears.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create that grant permission to your AlloyDB instance.
ALTER ROLE "<CONNECTOR_USERNAME>" WITH CREATEROLE;
GRANT cloudsqlsuperuser TO "<CONNECTOR_USERNAME>";DO $$
DECLARE
database_name text;
BEGIN
FOR database_name IN (SELECT datname FROM pg_database WHERE datname != 'template0' AND datname != 'cloudsqladmin') LOOP
EXECUTE 'GRANT ALL PRIVILEGES ON DATABASE ' || quote_ident(database_name) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
END LOOP;
END; $$
DO $$
DECLARE
schema text;
BEGIN
FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
END LOOP;
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO cloudsqlsuperuser WITH GRANT OPTION';
END; $$DO $$
DECLARE
schema text;
BEGIN
FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO cloudsqlsuperuser WITH GRANT OPTION';
END LOOP;
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO cloudsqlsuperuser WITH GRANT OPTION';
EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO cloudsqlsuperuser WITH GRANT OPTION';
END; $$Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Authorization type for the MySQL service account user:
IAM Auth: Cloud IAM authentication
User / Password: Built-in authentication
Project ID
ID of the project where the PostgreSQL instance is deployed
Region
Location where the PostgreSQL instance is deployed
Instance ID
ID of the PostgreSQL instance
Instance ID User Override
(Optional) Allows overriding the instance ID for the user
Database Name
Name of the database to integrate By default, Apono sets this value to postgre.
SSL Mode
(Optionl) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server:
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL-encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
prefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Assign roles to the connector.
Port
Port value for the database
By default, Apono sets this value to 5432.
Instance ID User Override (optional)
Overrides the instance ID for the user
Database Name
Name of the database to integrate
By default, Apono sets this value to postgre.
SSL Mode
(Optional) Mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server
Be sure to choose the SSL mode based on your AlloyDB primary instance :
require: An SSL-encrypted connection must be used.
allow: An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
disable: An unencrypted connection is used.
Make any additional edits.
Deploy the code in your Terraform.
Refer to Integration Config Metadata for more details about the schema definition.
Apono Connector
On-prem connection serving as a bridge between your Google Cloud SQL MySQL databases and Apono
Minimum Required Version: 1.6.4
Use the following steps to update an existing connector.
Allow Connector IP Access
Allows the Apono connector to communicate with the AlloyDB instance
You must allow the connector IP range in the AlloyDB primary instance's IP allow list.
API Services
API services that must enabled:
AlloyDB API
Compute Engine API
Service Networking API
See Enabling and Disabling Services for more information.
AlloyDB Information
Identifiers for AlloyDB resources:
Primary Instance ID
Cluster ID
See View instance details to learn how to obtain these identifiers.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Auth Type
Authorization type for the AlloyDB user:
User / Password: Apono-created local user credentials
IAM Authentication: Cloud IAM authentication
Project ID
ID of the project associated with the AlloyDB instance
Location
Location of the AlloyDB instance
Primary Instance ID
ID for the primary instance within the AlloyDB cluster
Cluster ID
ID for the AlloyDB cluster
Credential Rotation
(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Learn more about Periodic User Cleanup & Deletion.
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable iam.googleapis.comexport GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/alloydb.admin" \
--project $GCP_PROJECT_ID
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/serviceusage.serviceUsageConsumer" \
--project $GCP_PROJECT_IDgcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable iam.googleapis.comexport GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/alloydb.admin"
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role=CREATE USER CONNECTOR_USERNAME WITH PASSWORD 'password';
GRANT alloydbsuperuser TO CONNECTOR_USERNAME;gcloud alloydb users set-superuser CONNECTOR_USERNAME_IAM_SA_EMAIL@[PROJECT_ID].iam \
--superuser=true \
--cluster=CLUSTER_ID \
--region=REGION_IDprefer: An SSL-encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
verify-ca: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
verify-full: An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.