Managing FastAPI Projects with Poetry: A Step-by-Step Guide

-
Image
This guide will walk you through how to use Poetry to manage dependencies and structure your project in FastAPI . It includes detailed explanations of Poetry's core concepts and commands to help prevent issues that can arise during team collaboration and deployment. 1. What is Poetry? Poetry is a dependency management and packaging tool for Python. It goes beyond simply installing libraries by allowing you to clearly declare the dependencies your project needs and ensuring that all developers on the project have the same library versions. Clarity in Dependency Management : Explicitly manage your project's basic information and required libraries through the pyproject.toml file. Reproducible Builds : By locking all dependency versions in the poetry.lock file, it fundamentally prevents "it works on my machine" problems. Integrated Development Environment : It automatically creates and manages isolated virtual environments for each project and handles mo...
Post a Comment

Securely Connect to GCP Cloud SQL from Your Local Network Using Cloud SQL Auth Proxy

-

In the early stages of development on Google Cloud Platform (GCP), I needed to directly connect to the production Cloud SQL (PostgreSQL) instance for debugging and testing. Although Cloud SQL does provide a public IP address, it requires registering the client's IP address for access, so I decided to look for another way.

Due to GCP’s strict security policies—such as requiring IAM authentication and often disabling public IP access—direct access can be challenging.

That's where the Cloud SQL Auth Proxy comes in. It creates a secure tunnel from my local machine to GCP’s Cloud SQL instance using IAM credentials.

Why Use the Cloud SQL Auth Proxy?
  • Secure connections: All traffic is encrypted using TLS 1.3.
  • IAM-based authentication: No need to manage static passwords or SSL certificates.
  • No public IP required: You can connect even if your Cloud SQL instance has only a private IP.
  • Automatic credential management: The proxy handles authentication and token refresh.

⚠️ Important: This approach is suitable for early-stage development to improve speed and flexibility. However, once your development environment is more mature or moved into a shared or production stage, you should stop using this method and adopt more secure alternatives.

1. Architecture Overview

The following diagram shows how my development machine connects to the Cloud SQL instance through the Cloud SQL Auth Proxy running on an intermediate Ubuntu laptop:
┌────────────────────┐
│ Dev Machine        │
│ psql client        │
│ (192.168.1.123)    │
└────────────────────┘
       ↓
┌─────────────────────┐
│ Ubuntu 24.04 laptop │
│ cloud-sql-proxy     │ ← IAM authentication
│ (192.168.1.456)     │
└─────────────────────┘
       ↓
┌────────────────────────────┐
│ GCP Cloud SQL (PostgreSQL) │
│ (Private IP, no public IP) │
└────────────────────────────┘

2. Authenticate Your Local Machine with Google Cloud

Before using the Cloud SQL Auth Proxy, I needed to authenticate my local environment with Google Cloud using Application Default Credentials. This generates a credentials file that the proxy will use to connect to the Cloud SQL instance securely. 

$ gcloud auth application-default login

After logging in through the browser, the following file is created:

~/.config/gcloud/application_default_credentials.json

The proxy uses this file for authentication when launched with the --credentials-file flag.

3.  Enable Cloud SQL Admin API

To use the sql proxy, the Cloud SQL Admin API must be enabled for the project. This API allows the proxy to securely retrieve instance metadata and establish a connection.

4. Download and Install the Cloud SQL Auth Proxy

On my Ubuntu 24.04 laptop, I installed the proxy with the following commands:

$ curl -o cloud-sql-proxy https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.16.0/cloud-sql-proxy.linux.amd64
$ chmod +x cloud-sql-proxy
$ sudo mv cloud-sql-proxy /usr/local/bin/
$ cloud-sql-proxy --version
cloud-sql-proxy version 2.16.0+linux.amd64

5. Registering as a systemd Service

I created a systemd service to automatically start the proxy on boot:

$ sudo vim /etc/systemd/system/cloud-sql-proxy.service

Create a new systemd service file with the following configuration:

[Unit]
Description=Cloud SQL Auth Proxy
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/cloud-sql-proxy \
  --credentials-file=/home/gcp/.config/gcloud/application_default_credentials.json \
  --address=0.0.0.0 \
  --port=5432 \
  your-project-id:your-region:your-instance-name

Restart=on-failure
User=gcp
WorkingDirectory=/home/gcp

[Install]
WantedBy=multi-user.target

Note: Replace User=gcp with your actual Linux username (whoami will tell you). Make sure this user has access to the credentials file at ~/.config/gcloud/application_default_credentials.json.

Tip: By default, the proxy binds only to 127.0.0.1. Use --address=0.0.0.0 to allow connections from other devices on your local network.

6. Enabling and Starting the Service

$ sudo systemctl daemon-reexec
$ sudo systemctl daemon-reload

$ sudo systemctl enable cloud-sql-proxy
$ sudo systemctl start cloud-sql-proxy

$ sudo systemctl status cloud-sql-proxy
[sudo] password for gcp: 
● cloud-sql-proxy.service - Cloud SQL Auth Proxy
     Loaded: loaded (/etc/systemd/system/cloud-sql-proxy.service; enabled; preset: enabled)
     Active: active (running) since Thu 2025-05-15 13:47:18 PDT; 1h 17min ago
   Main PID: 64281 (cloud-sql-proxy)
      Tasks: 13 (limit: 18846)
     Memory: 8.8M (peak: 11.9M)
        CPU: 495ms
     CGroup: /system.slice/cloud-sql-proxy.service
     ...

7. Confirm the Port is Open

Verify that the Cloud SQL Auth Proxy is successfully listening on the configured port.
$ sudo ss -tulnp | grep 5432
tcp  LISTEN 0  4096  *:5432  *:*  users:(("cloud-sql-proxy",pid=64281,fd=6))

8. Check Firewall Settings

If you're using UFW (Uncomplicated Firewall), allow port 5432:

$ sudo ufw status
$ sudo ufw allow 5432/tcp

9. Connecting from Another Dev Machine

$ psql -h 192.168.1.456 -U appuser -d testdb

Optional: Running Without systemd

$ cloud-sql-proxy \
  --credentials-file=~/.config/gcloud/application_default_credentials.json \
  --address=0.0.0.0 \
  --port=5432 \
  your-project-id:your-region:your-instance-name

Reference

With the Cloud SQL Auth Proxy running on my Ubuntu laptop, I’m now able to securely access my Cloud SQL instance from any device on my local network. This setup offers the convenience and flexibility needed for active development while still aligning with GCP’s security standards.

Location: Calgary, AB, Canada

Comments

Post a Comment

Popular posts from this blog

Resolving Key Exchange Failure When Connecting with SecureCRT to OpenSSH

-
Image
Recently, after installing OpenSSH on my Ubuntu 22.04 laptop, I encountered a challenge while trying to establish a connection using SecureCRT. An error message appeared: Key exchange failed. No compatible key-exchange method. The server supports these methods:   curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com The following key-exchange method(s) are supported but not currently allowed  for this session:   curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com,curve25519-sha256 Key-exchange m...
Read more

SecureCRT] How to Back Up and Restore SecureCRT Settings on Windows

-
Image
If you're a frequent user of SecureCRT , backing up your session settings and restoring them later is crucial—especially when migrating to a new PC or recovering from a crash. In this guide, you’ll learn how to manually back up and restore SecureCRT settings on Windows , ensuring you never lose your configurations again. Does SecureCRT Have a Built-in Export/Import Feature? Yes, SecureCRT provides built-in export and import features in the Tools menu. However, these features may not capture all configuration details such as: Backup scripts Custom login scripts Certain session-specific files Therefore, if you want to completely clone your SecureCRT environment—including every session and customization—the safest option is to manually back up the entire Config folder. What Is the SecureCRT Config Folder? SecureCRT stores your personal settings (sessions, host keys, global options, etc.) in a folder located at: C:\Users\<Your username>\AppData\Roaming\VanDyke\Config Th...
Read more

How to Set Up Vaultwarden (Bitwarden) on Synology NAS (Best Free Alternative to LastPass)

-
Image
Have you ever felt overwhelmed managing passwords for all your websites? I used to use the same password across multiple sites , which wasn’t secure. To manage them better, I started using LastPass for years. However, in 2019, they changed their pricing policy — now it’s free only for one device for 30 days, and you have to pay to use it across multiple devices . If you're looking for a powerful and free password manager, Vaultwarden is one of the best alternatives to LastPass. What is Vaultwarden? Vaultwarden (formerly known as Bitwarden_RS) is a lightweight, open-source implementation of the Bitwarden server API written in Rust . It is fully compatible with official Bitwarden clients and is ideal for low-resource environments. Example: On a Synology DS916+, Vaultwarden uses 0% CPU and only 64MB of memory while running. My Setup NAS Model : Synology DS916+ DSM Version : DSM 7.1-42661 Update 1 Docker Image : vaultwarden/server Ins...
Read more