I created a Postgres instance, database and user in GCP, which did not ask me anything about setting user privilege. and it did not ask how the user will relate to the database.
When I check user permission using psql, I saw below info. Looks like the user has very power permission?
So, how do I grant user: myuser to admin permission only to the database: mydatabase?
mydatabase=>\l
Name | owner |Encoding | Collate | Ctype | Access privileges
mydatabase | cloudsqlsuperuser | UTF8 | en_US.UTF8 |en_US.UTF8 |
...
mydatabase=>\du
Role name| List of roles Attributes| Member of
myuser | Create role, Create DB | {cloudsqlsuperuser}
cloudsqlsuperuser | Create role, Create DB | {pg_monitor,pg_signal_backend}
...
I believe the question is nothing to do with Terraform but here is my Terraform code in case it helps to figure out the answer:
resource "google_sql_database_instance" "mypostgres" {...}
resource "google_sql_database" "mypostgres_db" {
name = "mydatabase"
instance = google_sql_database_instance.mypostgres.name
...
}
resource "google_sql_user" "mypostgres_user" {
name = "myuser"
instance = google_sql_database_instance.mypostgres.name
password = "mypassword"
...
}
With Cloud SQL, Google Cloud create a super admin user with all the permissions.
Then you can create new users, either builtin user (standard database user, with login and password) or Cloud IAM user that reuse the Cloud IAM capabilities to authenticate the users.
You can also create databases.
However, the RBAC is not a Google Cloud API, but a database feature, and you can't grant permission on a database to users. You need to run a command IN the database, and terraform can't do that for you.