Enhancing Cloud Database Security in PostgreSQL with IAM and Just-in-Time Access

Read full article here: https://www.p0.dev/blog/cloudsql-security/?utm_source=nhimg

Cloud SQL, Google Cloud’s managed relational database service for PostgreSQL, MySQL, and SQL Server, has significantly advanced its security model with IAM database authentication. This innovation allows engineers to log in with their Google Cloud identities (email-based accounts) instead of static passwords, strengthening security, improving auditability, and streamlining access management.

Why IAM Database Authentication Matters

Traditional database authentication relies on long-lived, shared credentials, creating major risks in cloud environments. IAM integration eliminates these risks by:

• Removing passwords in favor of short-lived tokens.

• Mapping access to identities already governed by IAM policies.

• Enabling fine-grained logging of user login activities for audit and compliance.

With IAM authentication enabled, access control occurs at two layers:

1. IAM Access - Users are granted instance login rights via IAM roles (e.g., Cloud SQL Instance User).

2. Database Access - Within PostgreSQL, users inherit privileges through roles rather than individually assigned permissions, simplifying management at scale.

Role-Based Access in PostgreSQL

To streamline authorization, administrators define reusable roles:

• Read-only role – permits SELECT queries.

• Read-write role – allows SELECT, INSERT, UPDATE, and DELETE queries.

Users are then mapped to these roles, ensuring scalable, consistent, and auditable permission assignments.

Connecting via Cloud SQL Auth Proxy

The secure method for connecting to a Cloud SQL instance involves the Cloud SQL Auth proxy, which leverages IAM authentication. Engineers authenticate via gcloud auth login, and the proxy generates ephemeral tokens, allowing access without exposing credentials. This approach works seamlessly with PostgreSQL tools like psql, PGAdmin, or DataGrip.

Streamlining with P0 Security's Just-in-Time (JIT) Access

While IAM removes static passwords, organizations still face the challenge of managing on-demand, time-bound access for engineers. This is where P0 Security integrates tightly:

• Engineers can request database access directly from Slack (/p0 request).

• Approvals can be granted interactively with expiration windows.

• P0 automates ephemeral user creation and role assignment in Cloud SQL.

• Access is automatically revoked once the time window expires.

This creates a double layer of security: IAM ensures identity-based authentication, while P0 enforces just-in-time authorization that aligns permissions with the engineer’s immediate task.

Why This Matters for Cloud Security Leaders

The combination of Google Cloud IAM authentication and P0 Security JIT access delivers:

• Passwordless, short-lived access to databases.

• Reduced attack surface by eliminating shared accounts and stale privileges.

• Operational efficiency with Slack-based approvals and automation.

• Enhanced compliance through clear audit trails and least-privilege enforcement.