Skip to main content
The Cloud SQL Auth Proxy provides secure, encrypted connections to Google Cloud SQL instances using IAM authentication via Workload Identity. When enabled, a sidecar container runs alongside web, worker, OAuth, Wharf, and job pods, handling authentication and connection encryption automatically.
GCP Only: This configuration is specific to Google Cloud Platform. For other cloud providers, use native database connection methods with appropriate authentication.

Core Configuration

cloudSqlProxy.enabled
boolean
default:"false"
Enable Cloud SQL Auth Proxy sidecar containers.When Enabled:
  • Proxy sidecar added to web, worker, OAuth, Wharf, and job pods
  • Application connects to 127.0.0.1:<port> instead of Cloud SQL directly
  • Proxy handles authentication via Workload Identity or IAM tokens
  • Connection is encrypted by the proxy
When Disabled:
  • Application must connect directly to Cloud SQL
  • Requires network connectivity to Cloud SQL instance
  • Must handle authentication via connection strings or environment variables
Example:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
Requires Workload Identity to be configured. See GCP Integration Guide for setup instructions.
cloudSqlProxy.instanceConnectionName
string
default:""
required
Cloud SQL instance connection name.Format: PROJECT_ID:REGION:INSTANCE_NAMERequired: Yes (when cloudSqlProxy.enabled: true)Example Values:
  • my-project:us-central1:crewai-production
  • prod-123:europe-west1:postgres-main
  • company-gcp:asia-east1:crewai-db
How to Find:
gcloud sql instances describe INSTANCE_NAME \
  --format='value(connectionName)'
Example:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
cloudSqlProxy.port
integer
default:"5432"
Local port where the proxy listens.Default: 5432 (PostgreSQL default)Purpose: Application containers connect to 127.0.0.1:<port> to reach Cloud SQL.Configuration:
  • Set envVars.DB_HOST: "127.0.0.1"
  • Set envVars.DB_PORT: "5432" (or your custom port)
Example - Custom Port:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  port: 3306  # For MySQL

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "3306"
cloudSqlProxy.privateIp
boolean
default:"true"
Use private IP for Cloud SQL connection.When true:
  • Proxy connects to Cloud SQL via private VPC IP
  • Requires VPC peering or Private Service Connect
  • More secure, no public internet exposure
  • Lower latency (internal network)
When false:
  • Proxy connects to Cloud SQL via public IP
  • Requires Cloud SQL public IP enabled
  • Connection still encrypted by proxy
  • Can access from any network
Production Recommendation: Use true with VPC-peered Cloud SQL instances.Example:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  privateIp: true
cloudSqlProxy.autoIamAuthn
boolean
default:"false"
Enable IAM-based database authentication.When true:
  • Proxy authenticates to Cloud SQL using IAM tokens
  • No database password required
  • Uses service account bound via Workload Identity
  • Database user must be IAM-based (e.g., user@project.iam)
When false:
  • Proxy establishes encrypted connection only
  • Database authentication uses traditional username/password
  • Requires secrets.DB_PASSWORD to be set
Prerequisites for IAM Authentication:
  1. Cloud SQL instance has cloudsql.iam_authentication=on database flag
  2. IAM database user created (e.g., gsa-name@project.iam)
  3. Service account has roles/cloudsql.instanceUser role
  4. SQL privileges granted to IAM user
Example - IAM Authentication:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  autoIamAuthn: true

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "5432"
  DB_USER: "crewai-platform@my-project.iam"

# No DB_PASSWORD needed
Example - Password Authentication:
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  autoIamAuthn: false

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "5432"
  DB_USER: "crewai"

secrets:
  DB_PASSWORD: "your-secure-password"
See GCP Integration Guide - Cloud SQL IAM Authentication for detailed setup instructions.
cloudSqlProxy.image
string
Cloud SQL Auth Proxy container image.Default: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.3Version Updates: Check Cloud SQL Proxy Releases for latest versions.Production Recommendation: Pin to a specific version tag for reproducible deployments.Example:
cloudSqlProxy:
  enabled: true
  image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.15.0

Resource Configuration

cloudSqlProxy.resources
object
CPU and memory resource requests and limits for the proxy sidecar.Default Configuration:
resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "500m"
    memory: "256Mi"
Purpose: The proxy is lightweight and handles connection management with minimal overhead.Tuning Guidelines:Low Traffic (< 50 connections):
resources:
  requests:
    cpu: "50m"
    memory: "64Mi"
  limits:
    cpu: "200m"
    memory: "128Mi"
Medium Traffic (50-200 connections):
resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "500m"
    memory: "256Mi"
High Traffic (200+ connections):
resources:
  requests:
    cpu: "200m"
    memory: "256Mi"
  limits:
    cpu: "1"
    memory: "512Mi"

Complete Examples

Basic Cloud SQL Connection with IAM Authentication

# ServiceAccount with Workload Identity binding
serviceAccount:
  annotations:
    iam.gke.io/gcp-service-account: crewai-platform@my-project.iam.gserviceaccount.com

# Cloud SQL Proxy configuration
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  port: 5432
  privateIp: true
  autoIamAuthn: true

# Database configuration
postgres:
  enabled: false  # Disable internal PostgreSQL

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "5432"
  DB_USER: "crewai-platform@my-project.iam"
  POSTGRES_DB: "crewai_plus_production"
  POSTGRES_CABLE_DB: "crewai_plus_cable_production"
  POSTGRES_OAUTH_DB: "crewai_plus_oauth_production"

# No DB_PASSWORD needed with IAM auth

Cloud SQL Connection with Password Authentication

# ServiceAccount with Workload Identity binding
serviceAccount:
  annotations:
    iam.gke.io/gcp-service-account: crewai-platform@my-project.iam.gserviceaccount.com

# Cloud SQL Proxy configuration
cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  port: 5432
  privateIp: true
  autoIamAuthn: false  # Use password authentication

# Database configuration
postgres:
  enabled: false

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "5432"
  DB_USER: "crewai"
  POSTGRES_DB: "crewai_plus_production"
  POSTGRES_CABLE_DB: "crewai_plus_cable_production"
  POSTGRES_OAUTH_DB: "crewai_plus_oauth_production"

secrets:
  DB_PASSWORD: "your-secure-password"

Public IP Connection (No VPC Peering)

cloudSqlProxy:
  enabled: true
  instanceConnectionName: my-project:us-central1:crewai-db
  port: 5432
  privateIp: false  # Use public IP
  autoIamAuthn: true

envVars:
  DB_HOST: "127.0.0.1"
  DB_PORT: "5432"
  DB_USER: "crewai-platform@my-project.iam"
Using public IP (privateIp: false) requires Cloud SQL instance to have public IP enabled. For production, use private IP with VPC peering for better security and performance.

Troubleshooting

Connection Refused on 127.0.0.1

Symptoms: Application logs show could not connect to server: Connection refused for 127.0.0.1:5432 Possible Causes:
  1. Cloud SQL Proxy sidecar not running
  2. Proxy failed to start due to authentication issues
  3. Port mismatch
Debug Steps: 
# Check if proxy sidecar is running
kubectl get pods -n <namespace> -l app.kubernetes.io/component=web \
  -o jsonpath='{.items[0].spec.containers[*].name}'
# Should include: cloud-sql-proxy

# Check proxy logs
kubectl logs -n <namespace> deploy/crewai-web -c cloud-sql-proxy

# Check pod events
kubectl describe pod -n <namespace> <pod-name>

IAM Authentication Failures

Symptoms: fe_sendauth: no password supplied or password authentication failed Solutions:
  1. “no password supplied” - autoIamAuthn not enabled: 
    cloudSqlProxy:
  autoIamAuthn: true  # Must be true for IAM auth
  2. “password authentication failed” - IAM flag not enabled on Cloud SQL: 
    gcloud sql instances patch INSTANCE_NAME \
  --database-flags=cloudsql.iam_authentication=on
  3. Missing IAM user: 
    gcloud sql users create GSA@PROJECT.iam \
  --instance=INSTANCE_NAME \
  --type=CLOUD_IAM_SERVICE_ACCOUNT

Workload Identity Not Working

Symptoms: Proxy logs show could not retrieve default credentials Verify Workload Identity setup: 
# Check ServiceAccount annotation
kubectl get serviceaccount <sa-name> -n <namespace> -o yaml | grep gcp-service-account

# Check IAM binding
gcloud iam service-accounts get-iam-policy GSA@PROJECT.iam.gserviceaccount.com
See GCP Integration Guide - Workload Identity Troubleshooting for detailed debugging.

Proxy Can’t Reach Cloud SQL

Symptoms: Proxy logs show connection refused or timeout when connecting to Cloud SQL For Private IP (privateIp: true):
  • Verify VPC peering is configured
  • Check firewall rules allow GKE to Cloud SQL traffic
  • Ensure Cloud SQL instance has private IP enabled
For Public IP (privateIp: false):
  • Verify Cloud SQL instance has public IP enabled
  • Check authorized networks if configured
# Check Cloud SQL instance IP configuration
gcloud sql instances describe INSTANCE_NAME \
  --format='value(ipAddresses)'
GCP Integration Guide: See Cloud SQL for PostgreSQL for complete Cloud SQL setup including instance creation, IAM authentication, and database configuration. ServiceAccount Configuration: See ServiceAccount Reference for Workload Identity binding configuration. Database Configuration: See PostgreSQL Configuration for general database settings that work with Cloud SQL. Environment Variables: See Database Configuration for database connection environment variables.