docs: add explanation of non-personal database users in Cloud SQL#840
Conversation
Documents all non-personal database users (system users, postgres, application user, personal IAM access) for teams answering MKR-ØS control framework requirements about non-personal user accounts. Covers: - Google system users (cloudsqladmin, cloudsqlagent, etc.) - The postgres user and golden path usage - Application user provisioning and credential management - Personal access via IAM - Audit logging (Cloud Audit Logs + pgAudit) - Audit log retention and storage
Kyrremann
left a comment
There was a problem hiding this comment.
Ser fint ut dette, noen små kommentarer. Vi har vel også stengt ned tilgang til secrets siden denne ble skrevet? Så nå kan man ikke så enkelt låne app-brukeren.
| - Listing/reading metadata for databases, users, and backups (`DATA_READ`) | ||
|
|
||
| !!! warning | ||
| Database and user CRUD operations and logins are **Data Access** events, not Admin Activity. If you need audit evidence of user creation or database logins, you must [enable Data Access audit logs](https://cloud.google.com/logging/docs/audit/configure-data-access). |
There was a problem hiding this comment.
Har vi ikke dokumentert dette i vårt egen dokumentasjon? Gaal eller noe?
There was a problem hiding this comment.
Det nærmeste vi har i egen dokumentasjon er audit logs for applikasjoner (naudit) under observability — men den dekker hva sluttbrukere gjør i appen, ikke Cloud SQL. La til en note (nav-tenant) som skiller de to og lenker dit. Selve aktiveringen av Data Access-logger er ikke dokumentert hos oss, så Google-lenken står inntil videre.
|
Takk for review! Alle kommentarene er adressert i 39ec87b. Har også oppdatert teksten om app-brukerens secret til å reflektere at direkte tilgang til secret-verdier er stengt ned, slik at man ikke lenger enkelt kan «låne» app-brukeren. |
- Fix Cloud Audit Logs: database/user CRUD and logins are Data Access events, not Admin Activity. Add warning about enabling Data Access logs. - Fix personal access: clarify it's the IAM role binding that's time-limited, not the DB user object. Add specific role names and TTLs. - Fix credential flow: add the Secret → SQLUser/Config Connector → Cloud SQL step that was missing. - Fix secret keys: use PREFIX notation and mention SSL keys for private IP. - Fix cloudsqlsuperuser: qualify as built-in auth users only. - Fix pgAudit: change 'default config' to 'recommended config' since the CLI doesn't enforce write,ddl,role — it's from the how-to guide. - Fix overview table: soften 'only app pod' to acknowledge secret access.
- Clarify "who can log in" instead of "can anyone at Nav log in" in overview tables; personal access is scoped to the owning team - Introduce sqeletor at first mention with a short definition and link - Reflect that direct human access to secret values is locked down - Cross-reference application-level audit logging (naudit) for nav tenant - Drop the nais/cli source code line from the pgAudit section
39ec87b to
b0501cf
Compare
What
Adds a new explanation page documenting all non-personal database users in Cloud SQL on Nais.
Why
Teams answering MKR-ØS (Minimum kontrollrammeverk for Økonomisystem) requirements need documentation they can link to about non-personal database user accounts. This was requested in #minimum-kontrollrammeverk-økonomisystem.
What's covered
Placement
docs/persistence/cloudsql/explanations/non-personal-database-users.mdListed alongside existing explanations like cloud-sql-credentials and grants-and-privileges.