docs: add explanation of non-personal database users in Cloud SQL#840
Open
Starefossen wants to merge 2 commits into
Open
docs: add explanation of non-personal database users in Cloud SQL#840Starefossen wants to merge 2 commits into
Starefossen wants to merge 2 commits into
Conversation
Documents all non-personal database users (system users, postgres, application user, personal IAM access) for teams answering MKR-ØS control framework requirements about non-personal user accounts. Covers: - Google system users (cloudsqladmin, cloudsqlagent, etc.) - The postgres user and golden path usage - Application user provisioning and credential management - Personal access via IAM - Audit logging (Cloud Audit Logs + pgAudit) - Audit log retention and storage Co-authored-by: Copilot <[email protected]>
- Fix Cloud Audit Logs: database/user CRUD and logins are Data Access events, not Admin Activity. Add warning about enabling Data Access logs. - Fix personal access: clarify it's the IAM role binding that's time-limited, not the DB user object. Add specific role names and TTLs. - Fix credential flow: add the Secret → SQLUser/Config Connector → Cloud SQL step that was missing. - Fix secret keys: use PREFIX notation and mention SSL keys for private IP. - Fix cloudsqlsuperuser: qualify as built-in auth users only. - Fix pgAudit: change 'default config' to 'recommended config' since the CLI doesn't enforce write,ddl,role — it's from the how-to guide. - Fix overview table: soften 'only app pod' to acknowledge secret access. Co-authored-by: Copilot <[email protected]>
Kyrremann
approved these changes
Jun 4, 2026
Member
Kyrremann
left a comment
Kyrremann
left a comment
There was a problem hiding this comment.
Ser fint ut dette, noen små kommentarer. Vi har vel også stengt ned tilgang til secrets siden denne ble skrevet? Så nå kan man ikke så enkelt låne app-brukeren.
|
|
||
| ## Overview | ||
|
|
||
| | User type | Why it exists | Who controls the password | Can anyone at Nav log in? | What is logged | |
Member
There was a problem hiding this comment.
"Can anyone at Nav log in" får det til å høres ut at kravet er at man jobber i Nav, så kanskje endre til team? Eller forklare hva vi mener med "anyone".
| - `<PREFIX>_URL` — a complete connection string | ||
| - `<PREFIX>_JDBC_URL` — a complete JDBC connection string | ||
|
|
||
| The prefix is derived from the instance and database name (e.g., `NAIS_DATABASE_MYAPP_MYDB`). For instances on private IP, sqeletor also adds SSL-related keys (`_SSLROOTCERT`, `_SSLCERT`, `_SSLKEY`, `_SSLMODE`). |
Member
There was a problem hiding this comment.
Vet folk hva "sqeletor" er for noe?
| - Listing/reading metadata for databases, users, and backups (`DATA_READ`) | ||
|
|
||
| !!! warning | ||
| Database and user CRUD operations and logins are **Data Access** events, not Admin Activity. If you need audit evidence of user creation or database logins, you must [enable Data Access audit logs](https://cloud.google.com/logging/docs/audit/configure-data-access). |
Member
There was a problem hiding this comment.
Har vi ikke dokumentert dette i vårt egen dokumentasjon? Gaal eller noe?
|
|
||
| The [recommended configuration](../how-to/enable-auditing.md) is to log `write`, `ddl`, and `role` — that is, write operations, schema changes, and role changes. Read operations (`read`) are not logged unless you configure it explicitly. The application user is excluded (`pgaudit.log = 'none'`) to avoid noise from normal application traffic. | ||
|
|
||
| Source code: [`nais/cli` — audit.go](https://github.com/nais/cli/blob/main/internal/postgres/audit.go) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a new explanation page documenting all non-personal database users in Cloud SQL on Nais.
Why
Teams answering MKR-ØS (Minimum kontrollrammeverk for Økonomisystem) requirements need documentation they can link to about non-personal database user accounts. This was requested in #minimum-kontrollrammeverk-økonomisystem.
What's covered
Placement
docs/persistence/cloudsql/explanations/non-personal-database-users.mdListed alongside existing explanations like cloud-sql-credentials and grants-and-privileges.