docs: add explanation of non-personal database users in Cloud SQL#840
Open
Starefossen wants to merge 2 commits intomainfrom
Open
docs: add explanation of non-personal database users in Cloud SQL#840Starefossen wants to merge 2 commits intomainfrom
Starefossen wants to merge 2 commits intomainfrom
Conversation
Documents all non-personal database users (system users, postgres, application user, personal IAM access) for teams answering MKR-ØS control framework requirements about non-personal user accounts. Covers: - Google system users (cloudsqladmin, cloudsqlagent, etc.) - The postgres user and golden path usage - Application user provisioning and credential management - Personal access via IAM - Audit logging (Cloud Audit Logs + pgAudit) - Audit log retention and storage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix Cloud Audit Logs: database/user CRUD and logins are Data Access events, not Admin Activity. Add warning about enabling Data Access logs. - Fix personal access: clarify it's the IAM role binding that's time-limited, not the DB user object. Add specific role names and TTLs. - Fix credential flow: add the Secret → SQLUser/Config Connector → Cloud SQL step that was missing. - Fix secret keys: use PREFIX notation and mention SSL keys for private IP. - Fix cloudsqlsuperuser: qualify as built-in auth users only. - Fix pgAudit: change 'default config' to 'recommended config' since the CLI doesn't enforce write,ddl,role — it's from the how-to guide. - Fix overview table: soften 'only app pod' to acknowledge secret access. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a new explanation page documenting all non-personal database users in Cloud SQL on Nais.
Why
Teams answering MKR-ØS (Minimum kontrollrammeverk for Økonomisystem) requirements need documentation they can link to about non-personal database user accounts. This was requested in #minimum-kontrollrammeverk-økonomisystem.
What's covered
Placement
docs/persistence/cloudsql/explanations/non-personal-database-users.mdListed alongside existing explanations like cloud-sql-credentials and grants-and-privileges.