GCP CloudSQL IAM Users

We're in the process of setting up self-hosted Metabase. We try to favour using IAM Authentication for GCP CloudSQL over standard password based Authentication.

We find that Metabase isn't able to use this method as it seems to be unable to handle connection strings that don't contain a password, and still passes a password field (although blank) to the Postgres Server.

Caused by: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null

The Connection String we pass is in the following format postgres://data-metabase%40{gcp_project}@localhost:5432/data-metabase?ssl=true&sslmode=prefer

Note the lack of password on the string, as authentication is handled by IAM via the CloudSQL Auth Proxy. This is something we do already across the board for all other services we run, but it seems Metabase doesn't support it.

Is this known? Is there a solution, or should I open a feature request?

Hi @adamstrawson
Are you talking about the Metabase application database, or data sources via Admin > Databases?
The Postgres JDBC driver does not support using username:password before host. It needs to be added as parameters.
I'm sure you would fine the following issues of interest:

This will be Metabase application database.

Those tickets you linked are different to this issue we're seeing. CloudSQL IAM Authentication is where you allow a CloudSQL Connector (in our case, CloudSQL Proxy Auth) to automatically handle the authentication between the application and CloudSQL. Log in using IAM database authentication  |  Cloud SQL for PostgreSQL  |  Google Cloud

When using this, you explicitly don't set a password in the connection string (or as a parameter), like my example. But it seems Metabase always expects a password to be set. If we don't set a password, the server is still sent a blank password parameter from Metabase, resulting in authentication failing.

Try this format instead: https://www.metabase.com/docs/latest/configuring-metabase/environment-variables#mb_db_connection_uri


It should be parsed directly to the JDBC driver, but I'm guessing it would require the extra Google factories as noted in https://github.com/metabase/metabase/issues/27117

1 Like

Perfect, looks like that did the trick!

Thanks for the help! :grinning: