Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
158 changes: 158 additions & 0 deletions samples/cloudrun/cloudrun/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
# Connecting Cloud Run to Cloud SQL with the Python Connector

This guide provides a comprehensive walkthrough of how to connect a Cloud Run service to a Cloud SQL instance using the Cloud SQL Python Connector. It covers connecting to instances with both public and private IP addresses and demonstrates how to handle database credentials securely.

## Develop a Python Application

The following Python applications demonstrate how to connect to a Cloud SQL instance using the Cloud SQL Python Connector.

### `mysql/main.py` and `postgres/main.py`

These files contain the core application logic for connecting to a Cloud SQL for MySQL or PostgreSQL instance. They provide two separate authentication methods, each exposed at a different route:
- `/`: Password-based authentication
- `/iam`: IAM-based authentication


### `sqlserver/main.py`

This file contains the core application logic for connecting to a Cloud SQL for SQL Server instance. It uses the `cloud-sql-python-connector` to create a SQLAlchemy connection pool with password-based authentication at the `/` route.

> [!NOTE]
>
> Cloud SQL for SQL Server does not support IAM database authentication.


> [!NOTE]
> **Lazy Refresh**
>
> The sample code in all three `main.py` files initializes the `Connector` with `refresh_strategy=lazy`. This is a recommended approach to avoid connection errors and optimize cost by preventing background processes from running when the CPU is throttled.

## IAM Authentication Prerequisites


For IAM authentication to work, you must ensure two things:

1. **The Cloud Run service's service account has the `Cloud SQL Client` role.** You can grant this role with the following command:
```bash
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
--role="roles/cloudsql.client"
```
Replace `PROJECT_ID` with your Google Cloud project ID and `SERVICE_ACCOUNT_EMAIL` with the email of the service account your Cloud Run service is using.

2. **The service account is added as a database user to your Cloud SQL instance.** You can do this with the following command:
```bash
gcloud sql users create SERVICE_ACCOUNT_EMAIL \
--instance=INSTANCE_NAME \
--type=cloud_iam_user
```
Replace `SERVICE_ACCOUNT_EMAIL` with the same service account email and `INSTANCE_NAME` with your Cloud SQL instance name.

## Deploy the Application to Cloud Run

Follow these steps to deploy the application to Cloud Run.

### Build and Push the Docker Image

1. **Enable the Artifact Registry API:**

```bash
gcloud services enable artifactregistry.googleapis.com
```

2. **Create an Artifact Registry repository:**

```bash
gcloud artifacts repositories create REPO_NAME \
--repository-format=docker \
--location=REGION
```

3. **Configure Docker to authenticate with Artifact Registry:**

```bash
gcloud auth configure-docker REGION-docker.pkg.dev
```

4. **Build the Docker image (replace `mysql` with `postgres` or `sqlserver` as needed):**

```bash
docker build -t REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME mysql
```

5. **Push the Docker image to Artifact Registry:**

```bash
docker push REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME
```

### Deploy to Cloud Run

Deploy the container image to Cloud Run using the `gcloud run deploy` command.


**Sample Values:**
* `SERVICE_NAME`: `my-cloud-run-service`
* `REGION`: `us-central1`
* `PROJECT_ID`: `my-gcp-project-id`
* `REPO_NAME`: `my-artifact-repo`
* `IMAGE_NAME`: `my-app-image`
* `INSTANCE_CONNECTION_NAME`: `my-gcp-project-id:us-central1:my-instance-name`
* `DB_USER`: `my-db-user` (for password-based authentication)
* `DB_IAM_USER`: `my-service-account@my-gcp-project-id.iam.gserviceaccount.com` (for IAM-based authentication)
* `DB_NAME`: `my-db-name`
* `DB_SECRET_NAME`: `projects/my-gcp-project-id/secrets/my-db-secret/versions/latest`
* `VPC_NETWORK`: `my-vpc-network`
* `SUBNET_NAME`: `my-vpc-subnet`


**For MySQL and PostgreSQL (Public IP):**

```bash
gcloud run deploy SERVICE_NAME \
--image=REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME \
--add-cloudsql-instances=INSTANCE_CONNECTION_NAME \
--set-env-vars=DB_USER=DB_USER,DB_IAM_USER=DB_IAM_USER,DB_NAME=DB_NAME,DB_SECRET_NAME=DB_SECRET_NAME,INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--region=REGION
```

**For MySQL and PostgreSQL (Private IP):**

```bash
gcloud run deploy SERVICE_NAME \
--image=REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME \
--add-cloudsql-instances=INSTANCE_CONNECTION_NAME \
--set-env-vars=DB_USER=DB_USER,DB_IAM_USER=DB_IAM_USER,DB_NAME=DB_NAME,DB_SECRET_NAME=DB_SECRET_NAME,INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME,IP_TYPE=PRIVATE \
--network=VPC_NETWORK \
--subnet=SUBNET_NAME \
--vpc-egress=private-ranges-only \
--region=REGION
```

**For SQL Server (Public IP):**

```bash
gcloud run deploy SERVICE_NAME \
--image=REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME \
--add-cloudsql-instances=INSTANCE_CONNECTION_NAME \
--set-env-vars=DB_USER=DB_USER,DB_NAME=DB_NAME,DB_SECRET_NAME=DB_SECRET_NAME,INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME \
--region=REGION
```

**For SQL Server (Private IP):**

```bash
gcloud run deploy SERVICE_NAME \
--image=REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_name \
--add-cloudsql-instances=INSTANCE_CONNECTION_NAME \
--set-env-vars=DB_USER=DB_USER,DB_NAME=DB_NAME,DB_SECRET_NAME=DB_SECRET_NAME,INSTANCE_CONNECTION_NAME=INSTANCE_CONNECTION_NAME,IP_TYPE=PRIVATE \
--network=VPC_NETWORK \
--subnet=SUBNET_NAME \
--vpc-egress=private-ranges-only \
--region=REGION
```

> [!NOTE]
> **`For PSC connections`**
>
> To connect to the Cloud SQL instance with PSC connection type, create a PSC endpoint, a DNS zone and DNS record for the instance in the same VPC network as the Cloud Run service and replace the `IP_TYPE` in the deploy command with `PSC`. To configure DNS records, refer to [Connect to an instance using Private Service Connect](https://docs.cloud.google.com/sql/docs/mysql/configure-private-service-connect) guide
18 changes: 18 additions & 0 deletions samples/cloudrun/cloudrun/mysql/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Use the official lightweight Python image.
# https://hub.docker.com/_/python
FROM python:3.12-slim

# Allow statements and log messages to immediately appear in the Knative logs
ENV PYTHONUNBUFFERED True

# Copy local code to the container image.
ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . .

# Install production dependencies.
RUN pip install --no-cache-dir -r requirements.txt

# Run the web service on container startup.
# Use gunicorn for production deployments.
CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 main:app
83 changes: 83 additions & 0 deletions samples/cloudrun/cloudrun/mysql/main.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
import os
import sqlalchemy
from flask import Flask
from google.cloud.sql.connector import Connector, IPTypes
from google.cloud import secretmanager

# Initialize Flask app
app = Flask(__name__)

# Initialize the Connector object with lazy refresh
connector = Connector(refresh_strategy="lazy")
secret_client = secretmanager.SecretManagerServiceClient()

# Function to create a database connection using IAM authentication
def get_iam_connection() -> sqlalchemy.engine.base.Connection:
instance_connection_name = os.environ["INSTANCE_CONNECTION_NAME"]
db_user = os.environ["DB_IAM_USER"] # IAM service account email
db_name = os.environ["DB_NAME"]
ip_type_str = os.environ.get("IP_TYPE", "PUBLIC")
ip_type = IPTypes[ip_type_str]

conn = connector.connect(
instance_connection_name,
"pymysql",
user=db_user,
db=db_name,
ip_type=ip_type,
enable_iam_auth=True
)
return conn

# Function to create a database connection using password-based authentication
def get_password_connection() -> sqlalchemy.engine.base.Connection:
instance_connection_name = os.environ["INSTANCE_CONNECTION_NAME"]
db_user = os.environ["DB_USER"] # Database username
db_name = os.environ["DB_NAME"]
db_secret_name = os.environ["DB_SECRET_NAME"]
ip_type_str = os.environ.get("IP_TYPE", "PUBLIC")
ip_type = IPTypes[ip_type_str]

secret_response = secret_client.access_secret_version(name=db_secret_name)
db_password = secret_response.payload.data.decode("UTF-8")

conn = connector.connect(
instance_connection_name,
"pymysql",
user=db_user,
password=db_password,
db=db_name,
ip_type=ip_type,
)
return conn

# Create the SQLAlchemy engines
iam_engine = sqlalchemy.create_engine(
"mysql+pymysql://",
creator=get_iam_connection,
)
password_engine = sqlalchemy.create_engine(
"mysql+pymysql://",
creator=get_password_connection,
)

@app.route("/")
def password_auth_index():
try:
with password_engine.connect() as conn:
result = conn.execute(sqlalchemy.text("SELECT 1")).fetchall()
return f"Database connection successful (password authentication), result: {result}"
except Exception as e:
return f"Error connecting to the database (password authentication): {e}", 500

@app.route("/iam")
def iam_auth_index():
try:
with iam_engine.connect() as conn:
result = conn.execute(sqlalchemy.text("SELECT 1")).fetchall()
return f"Database connection successful (IAM authentication), result: {result}"
except Exception as e:
return f"Error connecting to the database (IAM authentication): {e}", 500

if __name__ == "__main__":
app.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)))
5 changes: 5 additions & 0 deletions samples/cloudrun/cloudrun/mysql/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
cloud-sql-python-connector[pymysql]
sqlalchemy
Flask
gunicorn
google-cloud-secret-manager
18 changes: 18 additions & 0 deletions samples/cloudrun/cloudrun/postgres/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Use the official lightweight Python image.
# https://hub.docker.com/_/python
FROM python:3.12-slim

# Allow statements and log messages to immediately appear in the Knative logs
ENV PYTHONUNBUFFERED True

# Copy local code to the container image.
ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . .

# Install production dependencies.
RUN pip install --no-cache-dir -r requirements.txt

# Run the web service on container startup.
# Use gunicorn for production deployments.
CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 main:app
83 changes: 83 additions & 0 deletions samples/cloudrun/cloudrun/postgres/main.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
import os
import sqlalchemy
from flask import Flask
from google.cloud.sql.connector import Connector, IPTypes
from google.cloud import secretmanager

# Initialize Flask app
app = Flask(__name__)

# Initialize the Connector object with lazy refresh
connector = Connector(refresh_strategy="lazy")
secret_client = secretmanager.SecretManagerServiceClient()

# Function to create a database connection using IAM authentication
def get_iam_connection() -> sqlalchemy.engine.base.Connection:
instance_connection_name = os.environ["INSTANCE_CONNECTION_NAME"]
db_user = os.environ["DB_IAM_USER"] # IAM service account email
db_name = os.environ["DB_NAME"]
ip_type_str = os.environ.get("IP_TYPE", "PUBLIC")
ip_type = IPTypes[ip_type_str]

conn = connector.connect(
instance_connection_name,
"pg8000",
user=db_user,
db=db_name,
ip_type=ip_type,
enable_iam_auth=True
)
return conn

# Function to create a database connection using password-based authentication
def get_password_connection() -> sqlalchemy.engine.base.Connection:
instance_connection_name = os.environ["INSTANCE_CONNECTION_NAME"]
db_user = os.environ["DB_USER"] # Database username
db_name = os.environ["DB_NAME"]
db_secret_name = os.environ["DB_SECRET_NAME"]
ip_type_str = os.environ.get("IP_TYPE", "PUBLIC")
ip_type = IPTypes[ip_type_str]

secret_response = secret_client.access_secret_version(name=db_secret_name)
db_password = secret_response.payload.data.decode("UTF-8")

conn = connector.connect(
instance_connection_name,
"pg8000",
user=db_user,
password=db_password,
db=db_name,
ip_type=ip_type,
)
return conn

# Create the SQLAlchemy engines
iam_engine = sqlalchemy.create_engine(
"postgresql+pg8000://",
creator=get_iam_connection,
)
password_engine = sqlalchemy.create_engine(
"postgresql+pg8000://",
creator=get_password_connection,
)

@app.route("/")
def password_auth_index():
try:
with password_engine.connect() as conn:
result = conn.execute(sqlalchemy.text("SELECT 1")).fetchall()
return f"Database connection successful (password authentication), result: {result}"
except Exception as e:
return f"Error connecting to the database (password authentication): {e}", 500

@app.route("/iam")
def iam_auth_index():
try:
with iam_engine.connect() as conn:
result = conn.execute(sqlalchemy.text("SELECT 1")).fetchall()
return f"Database connection successful (IAM authentication), result: {result}"
except Exception as e:
return f"Error connecting to the database (IAM authentication): {e}", 500

if __name__ == "__main__":
app.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)))
5 changes: 5 additions & 0 deletions samples/cloudrun/cloudrun/postgres/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
cloud-sql-python-connector[pg8000]
sqlalchemy
Flask
gunicorn
google-cloud-secret-manager
18 changes: 18 additions & 0 deletions samples/cloudrun/cloudrun/sqlserver/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Use the official lightweight Python image.
# https://hub.docker.com/_/python
FROM python:3.12-slim

# Allow statements and log messages to immediately appear in the Knative logs
ENV PYTHONUNBUFFERED True

# Copy local code to the container image.
ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . .

# Install production dependencies.
RUN pip install --no-cache-dir -r requirements.txt

# Run the web service on container startup.
# Use gunicorn for production deployments.
CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 main:app
Loading
Loading