Username/Password Authentication with SSL Enabled to Google Cloud SQL¶
This document provides detailed guidance for securely connecting to Google Cloud SQL using username/password authentication with SSL/TLS encryption enabled.
Enabling SSL for Cloud SQL connections ensures that all data transmitted between your application and the database is encrypted, protecting sensitive information from interception and unauthorized access.
This guide applies to both MySQL and PostgreSQL databases hosted on Google Cloud SQL, focusing on secure integration with the Privacera Portal or other services that require encrypted database connectivity.
Several Privacera services rely on databases, and this guide will assist in securing those connections.
Service | Supported | Optional |
---|---|---|
Privacera Portal | Yes | No |
Apache Ranger Admin | Yes | No |
Privacera Discovery | Yes | Yes |
Privacera Ops Server | Yes | Yes |
Privacera Scheme Server | Yes | Yes |
Google Cloud SQL supports multiple database engines, and Privacera provides a compatibility matrix.
For more details Click here
Engine | Version | Supported |
---|---|---|
PostgreSQL | 16 | Yes |
MySQL | 5.7, 8.0 | Yes |
Prerequisites¶
Prerequisite | Description |
---|---|
Database | An existing database instance or the ability to create a new one. |
Management Console Access | Access to the Google Cloud Console – Required for creating and managing Cloud SQL instances. |
SSL/TLS Enabled | Ensure that SSL/TLS is enabled on the database instance. For instructions on enabling SSL for Google Cloud SQL, refer to the respective cloud documentation. |
SSL Certificates | Download the appropriate SSL CA certificate from Google Cloud to verify the database server's identity. |
Database User | A valid database user with username/password authentication credentials to connect to the database. |
Note
For detailed steps on enabling SSL, configuring database users, downloading certificates, and managing network access, please refer to the official documentation of your cloud provider: - Google Cloud SQL Documentation
Setup¶
Step 1: Enable SSL and Download Certificates¶
- Go to the Google Cloud Console.
- Navigate to SQL and select your Existing SQL Instance or Create a New SQL Instance.
- In the Left Menu, go to Connections and open the Security tab.
- Under SSL settings:
- Ensure "Allow only SSL connections" is enabled to enforce SSL for all incoming connections.
- Under Manage server CA certificates:
- Click DOWNLOAD CERTIFICATES to download the Server CA certificate.
- If no certificate exists, create a new one by selecting MANAGE CERTIFICATES → Create new CA certificate.
Step 2: Create or Verify a Database User¶
- In the Users tab of your Cloud SQL instance, ensure that you have a valid database user with username/password authentication.
- If needed, create a new user:
- Click ADD USER ACCOUNT.
- Select Built-in authentication.
- Enter the desired username and password.
- For Host name, select Allow any host (%).
- Click ADD.
Step 3: Verify Certificate and Database User¶
After completing the SSL setup and downloading the required certificates (server-ca.pem, client-cert.pem, client-key.pem), follow the steps below to verify the secure connection to your Google Cloud SQL instance.
Bash | |
---|---|
Tip
path_to_downloaded_cert
- Path to the downloaded server-ca.pem certificate.INSTANCE_IP
- Public IP address of the Cloud SQL instance.PORT
- Port number of the Cloud SQL instance.DB_NAME
- Name of the database.DB_USER
- Database user with username/password authentication.
Bash | |
---|---|
Tip
DB_USER
- Database user with username/password authentication.INSTANCE_IP
- Public IP address of the Cloud SQL instance.PORT
- Port number of the Cloud SQL instance.path_to_downloaded_cert
- Path to the downloaded server-ca.pem certificate.
Step 4: Changes for Privacera-Manager¶
Uploads Certificates¶
- Upload the SSL CA certificate to the Privacera-Manager instance.
-
Create a custom folder within the SSL directory and copy the certificate into this folder.
Changes for External DB¶
- Open Terminal and SSH to the instance where Privacera-Manager is installed.
- Create external DB variables in the custom-config file and update the properties accordingly.
Bash | |
---|---|
- Update the following variables:
YAML | |
---|---|
Tip
EXTERNAL_DB_HOST
- Endpoint URL of the RDS Postgres.EXTERNAL_DB_NAME
- If you have created a different database, update the name here.EXTERNAL_DB_USER
- If you have created a different user, update the name here.
Bash | |
---|---|
- Update the following variables:
YAML | |
---|---|
Tip
EXTERNAL_DB_HOST
- Endpoint URL of the RDS Postgres.EXTERNAL_DB_NAME
- If you have created a different database, update the name here.EXTERNAL_DB_USER
- If you have created a different user, update the name here.
Step 5: Apply Changes¶
If you haven't completed the base installation setup, you can skip this step and continue with the base installation steps.
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.By enabling SSL and configuring secure certificates for your Google Cloud SQL instance, you ensure encrypted, secure communication between your services and the database using username and password authentication. This setup helps protect sensitive data in transit and enforces best practices for secure database connectivity.