This message was deleted.

We're moving away from password based account to IAM Authentication, and Ory is the last service in our infrastructure to be moved, but it seems like it might not be possible

how does IAM based auth work there? do you not need some kind of credential?

behind the scenes it uses an access token, which in GCP's case offloaded to Cloud SQL Auth proxy. The service (eg Hydra) has an IAM Role attached to the instance (or Kubernetes Pod), and Cloud SQL authenticates against that IAM Role. More context on how it all works here: https://cloud.google.com/sql/docs/postgres/authentication. AWS has a similar ability too. So for example, the DSN would just be something like

<postgresql://auth-hydra>%40{gcp_project}.iam@localhost:5432/auth-hydra

localhost

in this case is the cloud SQL auth proxy, the auth proxy then authenticates using the IAM Service Account.

ok makes sense, so we just have to drop the requirement for passwords? not sure if that is on our side or upstream lib though...

Yeah that's right - from what I could see it looks like it's on Ory's side. We had a similar behaviour to you originally where we constructed/validated the DSN and had the assumption that we'd always set a password. For example, here's one place I noticed it where it matches on an assumption of a password existing;

%s://*:*@%s

`https://github.com/ory/x/blob/master/sqlcon/connector.go#L55

Please create one, I didn't have time yet