Skip to content

Secure and fast access to AlloyDB from GKE applications

Background

The AlloyDB for PostgreSQL supports authentication via Google Cloud Service Account, this way removes the requirement of managing the username/password as secrets for applications to authenticate to the database.

This feature can be combined with the workload identity feature of GKE to let applications running in GKE to authenticate to AlloyDB directly using the associated service account.

However, the existent documentation only describes authentication through an auth_proxy, which has two disadvantages:

  • The sidecar might impact the performance
  • Extra efforts need to be taken to setup the sidecar in the application deployment

This guide describes a way to make the applications in GKE authenticate to AlloyDB using workload identity without the auth_proxy.