This page describes how to use the customer-managed certificate authority (CA) option as the server CA mode for your Cloud SQL instance.
OverviewWith the customer-managed CA option, you set up your own CA pool and CA in Certificate Authority Service (CA Service). When you select the customer-managed CA option, you set up the CA hierarchy and manage the rotation of CA certificates for your Cloud SQL instances.
Before you can create a Cloud SQL instance with the customer-managed CA option, you create a CA pool in the same region as your instance and at least one CA in that pool using CA Service. The CA can be a root CA or a subordinate CA. You also have the option to create a subordinate CA in CA Service and then chain the subordinate CA to an external root CA. When you create your instance, you specify the CA pool. Your request is delegated to a project-specific service account, which has the permission to use the CA pool. The service account requests a CA from the pool and Cloud SQL uses that CA to sign the server certificate for the instance.
For the server CA mode for your instance in Cloud SQL, you can choose from the following three options:
You might choose the customer-managed CA option if you need to manage your own CA for compliance reasons. For more information about using the other options, see Authorize with SSL/TLS certificates.
WorkflowTo use the customer-managed CA option, the workflow is as follows:
Before you use the customer-managed CA option, make sure you meet the following requirements.
Required rolesTo get the permissions that you need to create a Cloud SQL-specific service account, ask your administrator to grant you the Service Account Creator (roles/iam.serviceAccountCreator) IAM role on for each individual project. For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
To get the permissions that you need to create a CA pool and CA, ask your administrator to grant you the CA Service Operation Manager(roles/privateca.caManager) IAM role on CA Service. For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a project-specific service accountIn the project where you plan to create your Cloud SQL instances, create a dedicated service account that will handle the request to create and sign the server certificates for your Cloud SQL instances.
gcloudRun the following command to create a service account for your Cloud SQL project:
gcloud beta services identity create \ --service=sqladmin.googleapis.com \ --project=PROJECT_ID
Replace PROJECT_ID with the ID of the project where you plan to create your Cloud SQL instances.
The command creates a service account named service-PROJECT_ID@gcp-sa-cloud-sql.iam.gserviceaccount.com in the project. Make a note of the CA Service Certificate Requester service account name.
Create a CA pool in CA Service.
You can create a CA pool in the same project where you plan to create your Cloud SQL instances, or you can create the CA pool in a different project. However, if you create the CA pool in a different project, then VPC Service Controls might block you from creating any Cloud SQL instances depending on organization policy. To fix the issue, make sure that the project that hosts the CA pool and CA and the project that hosts Cloud SQL belong to the same service perimeter. For more information, see Service perimeters and Manage service perimeters.
To create a CA pool, follow the instructions in Create a CA pool. You can accept the default values for the CA pool, with the following required configuration settings:
To make sure the service account has the permissions to request and sign certificates for your Cloud SQL instances, grant the following role to the service account for the CA pool that you created:
roles/privateca.certificateRequesterRun the gcloud privateca pools command to grant the service account access to the CA pool:
gcloud privateca pools add-iam-policy-binding CA_POOL_ID \ --project=PROJECT_ID \ --location=REGION \ --member serviceAccount:SERVICE_ACCOUNT_NAME \ --role=roles/privateca.certificateRequester
Make the following replacements:
CA_POOL_ID with the ID of the CA pool that you created.PROJECT_ID with the ID of the project where you plan to create your Cloud SQL instances.REGION with the region where you created the CA pool.SERVICE_ACCOUNT_NAME with the name of the CA Service Certificate Requester service account that you created for the project previously.Create at least one CA in the CA pool that you created.
You can create a root CA or a subordinate CA.
To create a root CA, follow the instructions in Create a root CA. You can accept the default values for the CA, but make sure that you create the CA in the Enabled state.
When you configure the
CA key size and algorithm, you can select any key size and algorithm. Cloud SQL generates its server certificates using
EC P-384 (SHA-384)elliptic curve keys, but your CA cryptographic keys don't have to match.
If you create a subordinate CA, then you need to create and configure your root CA first.
To create a subordinate CA in CA Service, follow the instructions in Create a subordinate CA.
To create a subordinate CA from an external root CA, follow the instructions in Create a subordinate CA from an external root CA.
To create a Cloud SQL instance that uses the customer-managed CA option, do the following.
ConsoleYou can't use the Google Cloud console to create instances that use the customer-managed CA option. If you create an instance using the Google Cloud console, then the default is shared CA mode.
To select a different server CA mode, use the gcloud sql instances create command instead.
gcloud sql instances create "INSTANCE_NAME" \ --database-version=DATABASE_VERSION \ --project=PROJECT_ID \ --region=REGION \ --server-ca-mode=CUSTOMER_MANAGED_CAS_CA \ --server-ca-pool=projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID
Make the following replacements:
INSTANCE_NAME with the name of the Cloud SQL instance that you want to create.DATABASE_VERSION with the enum of the version of the Cloud SQL instance that you want to create.PROJECT_ID with the ID of the project where you plan to create your Cloud SQL instances.PROJECT_ID_CAS with the ID of the project where you created your CA_POOL_ID. This project might be the same or different from where you want to create your Cloud SQL instance.REGION with the region where you created the CA pool. You must create your instance in the same region as the CA pool.CA_POOL_ID with the ID of the CA pool that you created.To create a Cloud SQL instance that uses the customer-managed CA option, use the instances.insert method and specify the following properties:
Before using any of the request data, make the following replacements:
PROJECT_ID the ID of the project where you plan to create your Cloud SQL instances.PROJECT_ID_CAS the ID of the project where you created your CA_POOL_ID. This project might be the same or different from where you want to create your Cloud SQL instance.INSTANCE_ID the name of the Cloud SQL instance that you want to create.REGION the region where you created the CA pool. You must create your instance in the same region as the CA pool.CA_POOL_ID with the ID of the CA pool that you created.HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances
Request JSON body:
{
"name":"INSTANCE_ID",
"region":"REGION",
"databaseVersion": "DATABASE_VERSION",
"settings":{
"ipConfiguration":
{
"serverCaPool": "projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID",
"serverCaMode": "CUSTOMER_MANAGED_CAS_CA"
}
}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
curl -X POST \PowerShell (Windows) Note: The following command assumes that you have logged in to the
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"
gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.
Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2025-01-16T02:32:12.281Z",
"operationType": "UPDATE",
"name": "OPERATION_ID",
"targetId": "INSTANCE_ID",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID_CSQL/operations/OPERATION_ID",
"targetProject": "PROJECT_ID"
}
Troubleshoot Issue Troubleshooting
You receive the following error message:
PERMISSION_DENIED: Permission privateca.certificates.create denied on CA_POOL_ID. Make sure that you granted the roles/privateca.certificateRequester role to the service account that you created for your Cloud SQL project. For more information, see Provide the service account with access to the CA pool.
You receive the following error message:
PERMISSION_DENIED: Request is prohibited by organization's policy vpcServiceControlsUniqueIdentifier VPC_SERVICE_CONTROLS_UNIQUE_IDENTIFIER. Make sure that you configure VPC Service Controls so that the project that hosts the CA Service CA pool and CA and the project that hosts Cloud SQL belong to the same service perimeter. For more information, see Service perimeters and Manage service perimeters.
You receive one of the following INVALID ARGUMENT error messages:
Public key algorithm is not permitted by the CaPool's issuance policy.This CaPool's issuance policy does not permit passthrough subjects and/or subject alternative names, and thus can only be used with the REFLECTED_SPIFFE subject mode.Config issuance mode is not permitted by the CaPool's issuance policy. Check the configuration settings of your CA pool and your CA. Make sure that you meet all the requirements listed in Create a CA pool and Create a CA in the CA pool.
You receive the following error message:
RESOURCE_EXHAUSTED
You receive the following error message:
NOT FOUND: parent resource CA_POOL_ID not found. Check the project ID, location, and name of the CA pool that you specified when you created your Cloud SQL instance. Make sure that you didn't make any typos.
You receive the following error message:
FAILED_PRECONDITION: There are no enabled CAs in the CaPool. Please ensure that there is at least one enabled Certificate Authority to issue a certificate. Make sure that you have created at least one CA in the CA pool that you specified when you created your Cloud SQL instance, and that the CA is in the enabled state.
You receive the following error message:
FAILED_PRECONDITION: Per-Product Per-Project Service Account (P4 SA) SERVICE_ACCOUNT_NAME not found for project PROJECT_ID. Make sure that you have created the service account for your Cloud SQL project. For more information, see Create a project-specific service account.
You receive the following error message:
INVALID ARGUMENT: Invalid format for server CA pool.
Make sure that you specified the CA pool in the correct format:
projects/PROJECT_ID/locations/REGION/caPools/CA_POOL_ID
You receive the following error message:
INVALID ARGUMENT: The instance's server CA pool must be in the same region as the instance.
Make sure that you the CA pool is in the same region as the Cloud SQL instance that you want to create.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4