4

Is there a way to create a Cloud SQL Postgres instance that Enforces SSL/TLS, but that does not require the use of client certificates? In pg_hba.conf, this would be a line containing hostssl but not clientcert=1.

I have tried Enforcing SSL/TLS (settings.ipConfiguration.requireSsl on the instance, or gcloud sql instances patch [INSTANCE_NAME] --require-ssl) But this option seems pretty useless, because:

  1. According to Managing your client certificates , you can only create “up to 10 client certificates for each instance.” This means that we would have to share the same client certificate/private keys among multiple users or services, so the secret is not truly secret among our employees.
  2. After presenting a client sslkey/sslcert in psql, postgres still asks for a password. This is evidence that the Cloud SQL sslCerts API inserts a clientcert=1 auth-option, as opposed to a cert auth-method, into pg_hba.conf. This means that each client needs both a client cert and a password.
Improve this question

1 Answer 1

Reset to default
0

Cloud SQL always requires client SSL certificate when configured with option: Allow only SSL connections. There is also no access to pg_hba.conf file to change auth-method to cert for Cloud SQL.

As a workaround you can create PostrgreSQL on Compute engine using this Google Cloud Marketplace link, where you will have access to auth-method in pg_hba.conf

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.