Deploy on Google Cloud
Seamlessly integrate DB Audit with your GCP infrastructure. Native support for Cloud SQL, Workload Identity, and Cloud Logging for comprehensive database auditing.
GCP Integration Features
Cloud SQL Integration
Native integration with Cloud SQL for PostgreSQL, MySQL, and SQL Server with built-in audit logging and IAM authentication.
Service Account Authentication
Secure authentication using GCP Service Accounts with Workload Identity for Kubernetes deployments.
Cloud Logging & Monitoring
Stream audit events to Cloud Logging, create custom metrics in Cloud Monitoring, and integrate with Security Command Center.
Prerequisites
- GCP project with billing enabled
- Cloud SQL instance(s) to monitor
- Permissions to create Service Accounts and IAM bindings
- VPC with appropriate firewall rules configured
- gcloud CLI installed locally (optional, for deployment)
GCP Configuration Reference
| Setting | Type | Required | Description |
|---|---|---|---|
| gcp_project_id | string | Yes | GCP project ID containing your Cloud SQL instances |
| gcp_region | string | Yes | GCP region for deployment (e.g., us-central1) |
| service_account_key | string | No | Path to service account key JSON (not needed with Workload Identity) |
| cloudsql_instances | array | Yes | List of Cloud SQL instance connection names |
| cloud_logging_enabled | boolean | No | Enable Cloud Logging export (default: true) |
| log_name | string | No | Custom log name in Cloud Logging (default: dbaudit) |
| secret_manager_secret | string | No | Secret Manager secret name for database credentials |
| kms_key_name | string | No | Cloud KMS key for encrypting audit data |
Deployment Steps
Create Service Account
Create a GCP service account and grant the necessary IAM roles for DB Audit to access your Cloud SQL instances and logging services.
Create Service Account and Assign Roles
# Create service account for DB Audit
gcloud iam service-accounts create dbaudit-collector \
--display-name="DB Audit Collector" \
--description="Service account for DB Audit database auditing"
# Get the service account email
SA_EMAIL="dbaudit-collector@${PROJECT_ID}.iam.gserviceaccount.com"
# Grant Cloud SQL Client role
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/cloudsql.client"
# Grant Cloud SQL Viewer role (for instance metadata)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/cloudsql.viewer"
# Grant Cloud Logging Writer role
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/logging.logWriter"
# Grant Secret Manager Accessor role
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/secretmanager.secretAccessor"
# Grant Cloud Monitoring Metric Writer role
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/monitoring.metricWriter"Custom IAM Role (Optional)
# Create custom IAM role for DB Audit
gcloud iam roles create DBauditCollector \
--project=${PROJECT_ID} \
--title="DB Audit Collector" \
--description="Custom role for DB Audit collector" \
--permissions=\
cloudsql.instances.get,\
cloudsql.instances.list,\
cloudsql.databases.list,\
logging.logEntries.create,\
logging.logEntries.list,\
monitoring.metricDescriptors.create,\
monitoring.metricDescriptors.list,\
monitoring.timeSeries.create,\
secretmanager.versions.access
# Assign custom role to service account
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_EMAIL}" \
--role="projects/${PROJECT_ID}/roles/DBauditCollector"Configure DB Audit
Create your DB Audit configuration file with GCP-specific settings.
# /etc/dbaudit/gcp-config.yaml
provider: gcp
gcp:
project_id: ${GCP_PROJECT_ID}
region: us-central1
# Use Workload Identity (recommended for GKE)
workload_identity: true
# Or use service account key file
# service_account_key: /etc/dbaudit/sa-key.json
# Cloud SQL instances to monitor
cloudsql:
instances:
- connection_name: project:region:instance-1
databases:
- production
- analytics
- connection_name: project:region:instance-2
databases:
- staging
# Cloud Logging configuration
logging:
enabled: true
log_name: dbaudit-events
resource_type: cloud_sql_database
# Secret Manager for credentials
secrets:
enabled: true
secret_name: dbaudit-credentials
version: latest
# Cloud KMS encryption
kms:
key_name: projects/${PROJECT_ID}/locations/us-central1/keyRings/dbaudit/cryptoKeys/audit-key
# Cloud Monitoring metrics
monitoring:
enabled: true
custom_metrics: true
collector:
log_level: info
buffer_size: 1000
flush_interval: 10sDeploy the Collector
Choose your preferred deployment method: Cloud Run, GKE with Workload Identity, Compute Engine with Docker, or Terraform.
Option A: Cloud Run
# Deploy using gcloud to Cloud Run
# Build and push the container (optional, if using custom config)
gcloud builds submit --tag gcr.io/${PROJECT_ID}/dbaudit-collector
# Deploy to Cloud Run
gcloud run deploy dbaudit-collector \
--image dbaudit/collector:latest \
--platform managed \
--region us-central1 \
--service-account dbaudit-collector@${PROJECT_ID}.iam.gserviceaccount.com \
--set-env-vars "GCP_PROJECT_ID=${PROJECT_ID}" \
--set-env-vars "DBAUDIT_ENDPOINT=https://api.dbaudit.ai" \
--set-secrets "DBAUDIT_API_KEY=dbaudit-api-key:latest" \
--add-cloudsql-instances ${PROJECT_ID}:us-central1:production-db \
--min-instances 1 \
--max-instances 3 \
--cpu 1 \
--memory 512Mi \
--no-allow-unauthenticatedOption B: GKE with Workload Identity
# Deploy DB Audit collector on GKE with Workload Identity
# Create namespace
kubectl create namespace dbaudit
# Create Kubernetes service account
kubectl create serviceaccount dbaudit-collector -n dbaudit
# Bind Kubernetes SA to GCP SA for Workload Identity
gcloud iam service-accounts add-iam-policy-binding \
dbaudit-collector@${PROJECT_ID}.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:${PROJECT_ID}.svc.id.goog[dbaudit/dbaudit-collector]"
# Annotate the Kubernetes service account
kubectl annotate serviceaccount dbaudit-collector \
-n dbaudit \
iam.gke.io/gcp-service-account=dbaudit-collector@${PROJECT_ID}.iam.gserviceaccount.com
# Create secret for API key
kubectl create secret generic dbaudit-credentials \
--from-literal=api-key=${DBAUDIT_API_KEY} \
-n dbaudit
# Install using Helm
helm install dbaudit-collector dbaudit/collector \
--namespace dbaudit \
--set provider=gcp \
--set gcp.projectId=${PROJECT_ID} \
--set gcp.workloadIdentity=true \
--set serviceAccount.name=dbaudit-collector \
--set apiKeySecretName=dbaudit-credentialsOption C: Terraform
# Terraform configuration for DB Audit on GCP
provider "google" {
project = var.project_id
region = var.region
}
# Service Account
resource "google_service_account" "dbaudit" {
account_id = "dbaudit-collector"
display_name = "DB Audit Collector"
description = "Service account for DB Audit database auditing"
}
# IAM bindings
resource "google_project_iam_member" "cloudsql_client" {
project = var.project_id
role = "roles/cloudsql.client"
member = "serviceAccount:${google_service_account.dbaudit.email}"
}
resource "google_project_iam_member" "logging_writer" {
project = var.project_id
role = "roles/logging.logWriter"
member = "serviceAccount:${google_service_account.dbaudit.email}"
}
resource "google_project_iam_member" "secret_accessor" {
project = var.project_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.dbaudit.email}"
}
# Secret Manager secret for API key
resource "google_secret_manager_secret" "dbaudit_api_key" {
secret_id = "dbaudit-api-key"
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "dbaudit_api_key" {
secret = google_secret_manager_secret.dbaudit_api_key.id
secret_data = var.dbaudit_api_key
}
# Cloud KMS key ring and key
resource "google_kms_key_ring" "dbaudit" {
name = "dbaudit"
location = var.region
}
resource "google_kms_crypto_key" "audit_key" {
name = "audit-key"
key_ring = google_kms_key_ring.dbaudit.id
rotation_period = "7776000s" # 90 days
}
# Cloud Run service for collector
resource "google_cloud_run_service" "dbaudit" {
name = "dbaudit-collector"
location = var.region
template {
spec {
service_account_name = google_service_account.dbaudit.email
containers {
image = "dbaudit/collector:latest"
env {
name = "GCP_PROJECT_ID"
value = var.project_id
}
env {
name = "DBAUDIT_API_KEY"
value_from {
secret_key_ref {
name = google_secret_manager_secret.dbaudit_api_key.secret_id
key = "latest"
}
}
}
resources {
limits = {
cpu = "1000m"
memory = "512Mi"
}
}
}
}
metadata {
annotations = {
"autoscaling.knative.dev/minScale" = "1"
"autoscaling.knative.dev/maxScale" = "3"
"run.googleapis.com/cloudsql-instances" = var.cloudsql_connection_name
}
}
}
}
output "service_account_email" {
value = google_service_account.dbaudit.email
}
output "cloud_run_url" {
value = google_cloud_run_service.dbaudit.status[0].url
}Option D: Docker on Compute Engine
# Deploy DB Audit collector on Compute Engine
# Pull and run the collector with service account
docker run -d \
--name dbaudit-collector \
--restart unless-stopped \
-e DBAUDIT_API_KEY=${DBAUDIT_API_KEY} \
-e GCP_PROJECT_ID=${PROJECT_ID} \
-e GOOGLE_APPLICATION_CREDENTIALS=/etc/dbaudit/sa-key.json \
-v /etc/dbaudit/sa-key.json:/etc/dbaudit/sa-key.json:ro \
-v /var/lib/dbaudit:/data \
dbaudit/collector:latest \
--config /etc/dbaudit/gcp-config.yamlVerify Deployment
Confirm your collector is running and connected to your GCP resources.
Architecture Overview
GCP Deployment Architecture
Security Best Practices
Use Workload Identity
For GKE deployments, use Workload Identity instead of service account keys. No keys to manage or rotate.
Enable VPC Service Controls
Create a service perimeter around your Cloud SQL instances and DB Audit collector for additional network isolation.
Store Secrets in Secret Manager
Use Secret Manager for all sensitive data. Enable automatic rotation for database credentials.
Use Private IP for Cloud SQL
Configure Cloud SQL with private IP only. Use Cloud SQL Auth Proxy for secure connections.
Enable Audit Logging
Enable Cloud Audit Logs for all DB Audit service account activities. Export to Cloud Storage for long-term retention.
Use Customer-Managed Encryption Keys
Use Cloud KMS customer-managed keys (CMEK) for encrypting audit data at rest.
Troubleshooting
Workload Identity not working
Verify the Kubernetes service account is annotated correctly. Check that the IAM binding includes the correct namespace and service account name in the member field.
Cannot connect to Cloud SQL
Ensure the service account has Cloud SQL Client role. If using private IP, verify VPC peering and firewall rules. Consider using Cloud SQL Auth Proxy.
Cloud Logging entries not appearing
Check the service account has Logging Writer role. Verify the log name and resource type in configuration. Logs may take a few minutes to appear.
Secret Manager access denied
Verify the service account has Secret Manager Secret Accessor role. Check that the secret name and version are correct.
Cloud Run service keeps restarting
Check Cloud Run logs for startup errors. Verify environment variables and secrets are configured correctly. Ensure minimum instances is set to at least 1.
Ready to Deploy on GCP?
Get started with DB Audit on Google Cloud in minutes. Our team can help you design the optimal architecture for your environment.