DEV Community: mrberrysome The latest articles on DEV Community by mrberrysome (@mrberry). https://dev.to/mrberry https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881388%2F88290432-69c2-48ce-95d7-f40bc4ca9b37.png DEV Community: mrberrysome https://dev.to/mrberry en my first post! mrberrysome Tue, 21 Apr 2026 01:31:51 +0000 https://dev.to/mrberry/my-first-post-3pj0 https://dev.to/mrberry/my-first-post-3pj0 <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl" class="crayons-story__hidden-navigation-link">Cloud SQL IAM auth on Cloud Run with Postgres.js (no connector package in your app)</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a class="crayons-logo crayons-logo--l" href="/dropfile"> <img alt="DropFile logo" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F13045%2F9e907bfc-8a4c-4262-af90-f6c2abf64700.png" class="crayons-logo__image" width="512" height="512"> </a> <a href="/mrberry" class="crayons-avatar crayons-avatar--s absolute -right-2 -bottom-2 border-solid border-2 border-base-inverted "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881388%2F88290432-69c2-48ce-95d7-f40bc4ca9b37.png" alt="mrberry profile" class="crayons-avatar__image" width="800" height="800"> </a> </div> <div> <div> <a href="/mrberry" class="crayons-story__secondary fw-medium m:hidden"> mrberrysome </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> mrberrysome <div id="story-author-preview-content-3529167" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/mrberry" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881388%2F88290432-69c2-48ce-95d7-f40bc4ca9b37.png" class="crayons-avatar__image" alt="" width="800" height="800"> </span> <span class="crayons-link crayons-subtitle-2 mt-5">mrberrysome</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> <span> <span class="crayons-story__tertiary fw-normal"> for </span><a href="/dropfile" class="crayons-story__secondary fw-medium">DropFile</a> </span> </div> <a href="https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl" class="crayons-story__tertiary fs-xs"><time>Apr 21</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl" id="article-link-3529167"> Cloud SQL IAM auth on Cloud Run with Postgres.js (no connector package in your app) </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/node"><span class="crayons-tag__prefix">#</span>node</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/googlecloud"><span class="crayons-tag__prefix">#</span>googlecloud</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/typescript"><span class="crayons-tag__prefix">#</span>typescript</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/postgres"><span class="crayons-tag__prefix">#</span>postgres</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="24" height="24"> </span> </span> <span class="aggregate_reactions_counter">1<span class="hidden s:inline"> reaction</span></span> </div> </a> <a href="https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 3 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> Cloud SQL IAM auth on Cloud Run with Postgres.js (without the connector package in your app) mrberrysome Tue, 21 Apr 2026 01:26:40 +0000 https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl https://dev.to/dropfile/cloud-sql-iam-auth-on-cloud-run-with-postgresjs-no-connector-package-in-your-app-knl <p><em>After a week that reminded everyone how much trust sits in every extra layer, here's the production pattern we use to keep Cloud Run + Cloud SQL auth simpler — and the 1-hour IAM token trap most examples miss.</em></p> <p>This week was a good reminder that infrastructure is never just infrastructure.</p> <p>Vercel disclosed a security incident that it said originated from a compromised third-party AI tool and ultimately exposed access to some internal environments and a limited subset of customer-related data. At the same time, the broader developer tooling world is debating where "public by design" ends and security expectations begin.</p> <p>That is exactly why boring decisions matter.</p> <p>If you are using Cloud SQL from Cloud Run in Node.js, most examples push you toward adding more app-layer machinery. Sometimes that is the right call. But if you are already on Cloud Run, already mounting the Cloud SQL socket, and already using Postgres.js, you may not need to add the connector package inside your app at all.</p> <p>That is the pattern we use in production at Dropfile.</p> <p>The important caveat: this is manual IAM database auth, not Google's recommended automatic connector-based flow. That distinction matters because IAM DB auth uses short-lived OAuth2 access tokens as the database password. Those tokens expire after one hour, and that is exactly where many examples quietly break.</p> <p>This post shows the leaner pattern, where it fits, and the token-refresh detail you need to get right if you do it manually.</p> <h2> Why this matters now </h2> <p>Recent incidents across developer tooling have made one thing clearer: every extra layer in your stack is also an extra trust boundary.</p> <p>This article is not arguing that connector packages are bad. It is arguing that if your platform already provides the plumbing you need, adding another dependency to app code should be a deliberate choice — not just something copied from the nearest tutorial.</p> <h2> The setup </h2> <ul> <li>Cloud Run service with <code>--add-cloudsql-instances</code> </li> <li>Postgres.js (<code>postgres</code>, not <code>pg</code>)</li> <li>Drizzle ORM on top</li> <li>IAM database auth, with the service account as the DB user</li> <li>No static password in production</li> </ul> <p>To be clear: we are not removing Cloud Run's Cloud SQL integration. We are just not duplicating that plumbing inside the Node app when Cloud Run is already doing the job.</p> <h2> The gotcha everyone hits </h2> <p>Most examples fetch the OAuth2 access token once at startup and pass it as <code>password: token</code>.</p> <p>That works fine until your process has been warm for over an hour. The token expires, and every new connection starts failing. Existing connections may survive a bit longer. New ones are where the failures show up first.</p> <p>The examples weren't wrong. They were just incomplete for long-lived processes.</p> <h2> The fix: pass a function, not a string </h2> <p>Postgres.js lets <code>password</code> be an async function. It gets resolved when a new connection is created, not once at boot.</p> <p>On Cloud Run, the GCP metadata server is always available, so the token fetch is tiny:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchIAMToken</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="dl">"</span><span class="s2">http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Metadata-Flavor</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Google</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Metadata token fetch failed: </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">access_token</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then wire up the client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">postgres</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">postgres</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="s2">`/cloudsql/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INSTANCE_CONNECTION_NAME</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_USER</span><span class="p">,</span> <span class="c1">// e.g. my-sa@my-project.iam</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_NAME</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">fetchIAMToken</span><span class="p">,</span> <span class="c1">// function reference, not fetchIAMToken()</span> <span class="na">max</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="na">idle_timeout</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">connect_timeout</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">max_lifetime</span><span class="p">:</span> <span class="mi">45</span> <span class="o">*</span> <span class="mi">60</span><span class="p">,</span> <span class="c1">// recycle connections before the 1-hour token expiry</span> <span class="p">});</span> </code></pre> </div> <p>Two details matter:</p> <ul> <li> <code>password</code> is the function reference, not <code>fetchIAMToken()</code> </li> <li> <code>max_lifetime: 45 * 60</code> recycles pooled connections before they drift too close to the 1-hour token expiry</li> </ul> <p>That combination is the whole trick.</p> <h2> Local dev fallback </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">drizzle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/postgres-js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">postgres</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">schema</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./schema</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">createClient</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INSTANCE_CONNECTION_NAME</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">drizzle</span><span class="p">(</span> <span class="nf">postgres</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="s2">`/cloudsql/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INSTANCE_CONNECTION_NAME</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_USER</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_NAME</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">fetchIAMToken</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="na">idle_timeout</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">connect_timeout</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">max_lifetime</span><span class="p">:</span> <span class="mi">45</span> <span class="o">*</span> <span class="mi">60</span><span class="p">,</span> <span class="p">}),</span> <span class="p">{</span> <span class="nx">schema</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">drizzle</span><span class="p">(</span><span class="nf">postgres</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">),</span> <span class="p">{</span> <span class="nx">schema</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">();</span> </code></pre> </div> <p>Production uses IAM plus the mounted socket. Local uses <code>DATABASE_URL</code>. Nothing fancy.</p> <h2> Deploy command </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud run deploy my-service <span class="se">\</span> <span class="nt">--add-cloudsql-instances</span> <span class="s2">"my-project:us-central1:my-instance"</span> <span class="se">\</span> <span class="nt">--service-account</span> <span class="s2">"my-sa@my-project.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--set-env-vars</span> <span class="s2">"INSTANCE_CONNECTION_NAME=my-project:us-central1:my-instance,DB_USER=my-sa@my-project.iam,DB_NAME=mydb"</span> </code></pre> </div> <p>Notes:</p> <ul> <li> <code>--add-cloudsql-instances</code> mounts the Unix socket path</li> <li> <code>DB_USER</code> for an IAM service-account user is the service account email without <code>.gserviceaccount.com</code> </li> <li>The Cloud Run service account and the IAM DB user should be the same identity</li> </ul> <h2> What you need in GCP </h2> <ol> <li>Cloud SQL instance with IAM database authentication enabled (<code>cloudsql.iam_authentication</code>)</li> <li>Service account added as a Cloud SQL IAM service-account user</li> <li>Service account has both <code>roles/cloudsql.client</code> and <code>roles/cloudsql.instanceUser</code> </li> <li>Normal PostgreSQL grants for that user, because IAM login and schema access are separate</li> </ol> <h2> Why we like this approach </h2> <ul> <li>No static DB password in production</li> <li>No extra package in the app</li> <li>Token refresh is tied to connection creation, not process startup</li> <li>Works cleanly with Postgres.js and Drizzle</li> </ul> <p>It's not the most abstracted setup.</p> <p>That's exactly why we like it.</p> <p>The real takeaway is bigger than Cloud SQL.</p> <p>In 2026, a lot of teams are rediscovering the cost of hidden trust boundaries. If your platform already gives you the secure transport layer, it is worth asking whether your app really needs another package, another auth path, and another thing to maintain. Sometimes the better production pattern is not more abstraction. It is fewer moving parts, with the sharp edges understood.</p> <p>Curious if anyone else is doing Cloud SQL IAM auth this way, or if you stuck with the connector package.</p> node googlecloud typescript postgres