Skip to content

docs: add explanation of non-personal database users in Cloud SQL#840

Merged
Starefossen merged 3 commits into
mainfrom
doc/non-personal-database-users
Jul 5, 2026
Merged

docs: add explanation of non-personal database users in Cloud SQL#840
Starefossen merged 3 commits into
mainfrom
doc/non-personal-database-users

Conversation

@Starefossen

Copy link
Copy Markdown
Member

What

Adds a new explanation page documenting all non-personal database users in Cloud SQL on Nais.

Why

Teams answering MKR-ØS (Minimum kontrollrammeverk for Økonomisystem) requirements need documentation they can link to about non-personal database user accounts. This was requested in #minimum-kontrollrammeverk-økonomisystem.

What's covered

  • Google system users (cloudsqladmin, cloudsqlagent, etc.) — all Google-managed, no Nav access
  • cloudsqlsuperuser — clarified as a role, not a user
  • The postgres user — not used by Nais in the golden path
  • Application user — provisioning flow, credential management (naiserator, sqeletor)
  • Personal access — IAM-based, time-limited, who can grant it
  • Audit logging — Cloud Audit Logs (Admin Activity vs Data Access) and pgAudit (opt-in)
  • Audit log retention — searchable 2yr + archived 11yr in locked buckets

Placement

docs/persistence/cloudsql/explanations/non-personal-database-users.md

Listed alongside existing explanations like cloud-sql-credentials and grants-and-privileges.

Documents all non-personal database users (system users, postgres,
application user, personal IAM access) for teams answering MKR-ØS
control framework requirements about non-personal user accounts.

Covers:
- Google system users (cloudsqladmin, cloudsqlagent, etc.)
- The postgres user and golden path usage
- Application user provisioning and credential management
- Personal access via IAM
- Audit logging (Cloud Audit Logs + pgAudit)
- Audit log retention and storage

@Kyrremann Kyrremann left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ser fint ut dette, noen små kommentarer. Vi har vel også stengt ned tilgang til secrets siden denne ble skrevet? Så nå kan man ikke så enkelt låne app-brukeren.

Comment thread docs/persistence/cloudsql/explanations/non-personal-database-users.md Outdated
Comment thread docs/persistence/cloudsql/explanations/non-personal-database-users.md Outdated
- Listing/reading metadata for databases, users, and backups (`DATA_READ`)

!!! warning
Database and user CRUD operations and logins are **Data Access** events, not Admin Activity. If you need audit evidence of user creation or database logins, you must [enable Data Access audit logs](https://cloud.google.com/logging/docs/audit/configure-data-access).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Har vi ikke dokumentert dette i vårt egen dokumentasjon? Gaal eller noe?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Det nærmeste vi har i egen dokumentasjon er audit logs for applikasjoner (naudit) under observability — men den dekker hva sluttbrukere gjør i appen, ikke Cloud SQL. La til en note (nav-tenant) som skiller de to og lenker dit. Selve aktiveringen av Data Access-logger er ikke dokumentert hos oss, så Google-lenken står inntil videre.

Comment thread docs/persistence/cloudsql/explanations/non-personal-database-users.md Outdated
@Starefossen

Copy link
Copy Markdown
Member Author

Takk for review! Alle kommentarene er adressert i 39ec87b. Har også oppdatert teksten om app-brukerens secret til å reflektere at direkte tilgang til secret-verdier er stengt ned, slik at man ikke lenger enkelt kan «låne» app-brukeren.

- Fix Cloud Audit Logs: database/user CRUD and logins are Data Access
  events, not Admin Activity. Add warning about enabling Data Access logs.
- Fix personal access: clarify it's the IAM role binding that's
  time-limited, not the DB user object. Add specific role names and TTLs.
- Fix credential flow: add the Secret → SQLUser/Config Connector → Cloud
  SQL step that was missing.
- Fix secret keys: use PREFIX notation and mention SSL keys for private IP.
- Fix cloudsqlsuperuser: qualify as built-in auth users only.
- Fix pgAudit: change 'default config' to 'recommended config' since the
  CLI doesn't enforce write,ddl,role — it's from the how-to guide.
- Fix overview table: soften 'only app pod' to acknowledge secret access.
- Clarify "who can log in" instead of "can anyone at Nav log in" in
  overview tables; personal access is scoped to the owning team
- Introduce sqeletor at first mention with a short definition and link
- Reflect that direct human access to secret values is locked down
- Cross-reference application-level audit logging (naudit) for nav tenant
- Drop the nais/cli source code line from the pgAudit section
@Starefossen Starefossen force-pushed the doc/non-personal-database-users branch from 39ec87b to b0501cf Compare July 5, 2026 19:01
@Starefossen Starefossen merged commit 131b404 into main Jul 5, 2026
5 of 6 checks passed
@Starefossen Starefossen deleted the doc/non-personal-database-users branch July 5, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants