fix: Correctly set the credentials token source and the WithIAMAuthN opt (#2544)

mruoss · web-flow · commit 5b14b6af0226 · 2026-01-27T14:13:50.000-08:00
This fixes a bug in how the auth proxy handled the configuration when the `--impersonate-service-account` flag and the `auto-iam-auth` instance configuration parameter are set at the same time. This is especially important to make the Cloud SQL Proxy Operator work correctly, see GoogleCloudPlatform/cloud-sql-proxy-operator#719 Fixes #2542
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -323,6 +323,20 @@ func parseImpersonationChain(chain string) (string, []string) {
 
 const iamLoginScope = "https://www.googleapis.com/auth/sqlservice.login"
 
+// iamAuthNEnabled returns true if IAM authentication is enabled globally
+// or for any instance in the configuration.
+func (c *Config) iamAuthNEnabled() bool {
+	if c.IAMAuthN {
+		return true
+	}
+	for _, inst := range c.Instances {
+		if inst.IAMAuthN != nil && *inst.IAMAuthN {
+			return true
+		}
+	}
+	return false
+}
+
 func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 	// If service account impersonation is configured, set up an impersonated
 	// credentials token source.
@@ -363,7 +377,8 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 		if err != nil {
 			return nil, err
 		}
-		if c.IAMAuthN {
+
+		if c.iamAuthNEnabled() {
 			iamLoginTS, err := impersonate.CredentialsTokenSource(
 				context.Background(),
 				impersonate.CredentialsConfig{
@@ -439,7 +454,7 @@ func (c *Config) DialerOptions(l cloudsql.Logger) ([]cloudsqlconn.Option, error)
 		opts = append(opts, cloudsqlconn.WithUniverseDomain(c.UniverseDomain))
 	}
 
-	if c.IAMAuthN {
+	if c.iamAuthNEnabled() {
 		opts = append(opts, cloudsqlconn.WithIAMAuthN())
 	}
 
diff --git a/tests/postgres_test.go b/tests/postgres_test.go
@@ -280,6 +280,14 @@ func TestPostgresIAMDBAuthn(t *testing.T) {
 			dsn: fmt.Sprintf("host=localhost user=%s database=%s sslmode=disable",
 				impersonatedIAMUser, *postgresDB),
 		},
+		{
+			desc: "using impersonation with query param",
+			args: []string{
+				"--impersonate-service-account", *impersonatedUser,
+				fmt.Sprintf("%s?auto-iam-authn=true", *postgresConnName)},
+			dsn: fmt.Sprintf("host=localhost user=%s password=password database=%s sslmode=disable",
+				impersonatedIAMUser, *postgresDB),
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
