2

Is there a way to create a Cloud SQL Postgres instance that Enforces SSL/TLS, but that does not require the use of client certificates? In pg_hba.conf, this would be a line containing hostssl but not clientcert=1.

I have tried Enforcing SSL/TLS (settings.ipConfiguration.requireSsl on the instance, or gcloud sql instances patch [INSTANCE_NAME] --require-ssl) But this option seems pretty useless, because:

  1. According to Managing your client certificates , you can only create “up to 10 client certificates for each instance.” This means that we would have to share the same client certificate/private keys among multiple users or services, so the secret is not truly secret among our employees.
  2. After presenting a client sslkey/sslcert in psql, postgres still asks for a password. This is evidence that the Cloud SQL sslCerts API inserts a clientcert=1 auth-option, as opposed to a cert auth-method, into pg_hba.conf. This means that each client needs both a client cert and a password.
yonran
  • 667
  • 2
  • 7
  • 20

1 Answers1

0

Cloud SQL always requires client SSL certificate when configured with option: Allow only SSL connections. There is also no access to pg_hba.conf file to change auth-method to cert for Cloud SQL.

As a workaround you can create PostrgreSQL on Compute engine using this Google Cloud Marketplace link, where you will have access to auth-method in pg_hba.conf

Pawel Czuczwara
  • 176
  • 3