AlloyDB for PostgreSQL

AlloyDB for PostgreSQL is a fully-managed, PostgreSQL-compatible database for demanding transactional workloads.

About

AlloyDB for PostgreSQL is a fully-managed, PostgreSQL-compatible database for demanding transactional workloads. It provides enterprise-grade performance and availability while maintaining 100% compatibility with open-source PostgreSQL.

If you are new to AlloyDB for PostgreSQL, you can create a free trial cluster.

Requirements

IAM Permissions

By default, AlloyDB for PostgreSQL source uses the AlloyDB Go Connector to authorize and establish mTLS connections to your AlloyDB instance. The Go connector uses your Application Default Credentials (ADC) to authorize your connection to AlloyDB.

In addition to setting the ADC for your server, you need to ensure the IAM identity has been given the following IAM roles (or corresponding permissions):

roles/alloydb.client
roles/serviceusage.serviceUsageConsumer

To connect to your AlloyDB Source using IAM authentication:

Specify your IAM email as the user or leave it blank for Toolbox to fetch from ADC.
Leave the password field blank.

Networking

AlloyDB supports connecting over both from external networks via the internet (public IP), and internal networks (private IP). For more information on choosing between the two options, see the AlloyDB page Connection overview.

You can configure the ipType parameter in your source configuration to public or private to match your cluster’s configuration. Regardless of which you choose, all connections use IAM-based authorization and are encrypted with mTLS.

Database User

Currently, this source only uses standard authentication. You will need to create a PostgreSQL user to login to the database with.

Example


sources:
    my-alloydb-pg-source:
        kind: alloydb-postgres
        project: my-project-id
        region: us-central1
        cluster: my-cluster
        instance: my-instance
        database: my_db
        user: ${USER_NAME}
        password: ${PASSWORD}
        # ipType: "public"

Tip

Use environment variable replacement with the format ${ENV_NAME} instead of hardcoding your secrets into the configuration file.

Reference

field	type	required	description
kind	string	true	Must be “alloydb-postgres”.
project	string	true	Id of the GCP project that the cluster was created in (e.g. “my-project-id”).
region	string	true	Name of the GCP region that the cluster was created in (e.g. “us-central1”).
cluster	string	true	Name of the AlloyDB cluster (e.g. “my-cluster”).
instance	string	true	Name of the AlloyDB instance within the cluster (e.g. “my-instance”).
database	string	true	Name of the Postgres database to connect to (e.g. “my_db”).
user	string	false	Name of the Postgres user to connect as (e.g. “my-pg-user”). Defaults to IAM auth using ADC email if unspecified.
password	string	false	Password of the Postgres user (e.g. “my-password”). Defaults to attempting IAM authentication if unspecified.
ipType	string	false	IP Type of the AlloyDB instance; must be one of `public` or `private`. Default: `public`.

Last modified April 23, 2025: feat: Support env replacement for tool.yaml (#462) (eadb678a)