DB Access Management System

Centralized database access management for GCP Cloud SQL and MongoDB Atlas with Google Workspace IAM automation, Zero Trust (Twingate), and audit-ready provisioning.

Automates secure read-only database access for teams while enforcing least-privilege, replication, and compliance (RBI-aligned).

Use Case

This application is designed for organizations that require a centralized, automated way to provision and audit database access. Rather than manually creating database users and assigning privileges in Cloud SQL or MongoDB Atlas, administrators can leverage this system to dynamically grant or revoke read-only access. By integrating with Google Workspace, it ensures that database permissions seamlessly mirror an employee's role, improving overall security and DevSecOps management efficiency.

Minimum Requirements

To build and execute this project, the following minimum requirements must be met:

• Python: 3.10 or higher
• Containerization: Docker (if building the deployment image locally)
• Cloud Access & Credentials:
  • GCP: Service account with permissions for Cloud Run, Cloud Build, Cloud Tasks, and Cloud Logging.
  • Google Workspace: Admin privileges or a delegated service account (JSON) to interact with employee groups and users.
  • Databases: Active MongoDB Atlas API Keys and accessible MySQL database credentials.
  • System & Email: A securely generated SECRET_KEY and the EMAIL_HOST_PASSWORD (e.g. for support@example.com).

Architecture

flowchart TD
    Admin([Administrator])
    
    subgraph CloudRun ["Google Cloud Platform"]
        App["DB Access Management System (Cloud Run)"]
        SecretMgr["Secret Manager"]
        CloudSQL[("Cloud SQL / MySQL")]
    end
    
    subgraph Workspace ["Google Workspace"]
        AdminSDK["Admin SDK API"]
    end

    subgraph AtlasCloud ["MongoDB"]
        Atlas[("MongoDB Atlas")]
    end

    Admin -->|Authenticates & Requests Access| App
    App -->|Reads Secure DB Keys| SecretMgr
    App <-->|Verifies Employee Groups| AdminSDK
    App -->|Grants Read-Only DB Roles| Atlas
    App -->|Grants Read-Only DB Roles| CloudSQL

Loading

Tech Stack

• Framework: Django 5.2.10
• Language: Python 3.10
• Databases Supported: MySQL (via mysqlclient), MongoDB (via pymongo and Atlas API)
• Deployment: Docker, Google Cloud Build, Google Cloud Run
• Authentication: Custom Django Authentication Backend (EmployeeAuthBackend) with Google Workspace Admin SDK integration
• Cloud Integrations: Google Cloud Tasks, Google Cloud Logging

Features

• Automated provisioning of read-only access for Cloud SQL (MySQL) and MongoDB Atlas
• Google Workspace + IAM integration (role-based access mirroring)
• Master-Slave replication support (Cloud SQL → on-prem/self-managed MySQL)
• CI/CD deployment via Cloud Build → Cloud Run
• Zero Trust Network Access using Twingate
• Full audit logging and access revocation
• Dockerized Django application

Project Structure

.
├── Dockerfile                  # Instructions for creating the Docker image
├── cloudbuild.yaml             # Google Cloud Build CI/CD pipeline configuration
├── requirements.txt            # Python dependencies
├── manage.py                   # Django project management script
├── db_access_management/       # Django Main project folder (settings, wsgi, urls)
└── db_access/                  # Django App (Core Logic)
    ├── auth_backend.py         # Custom employee authentication logic
    ├── google_workspace.py     # Integration with Google Admin SDK/Workspace
    ├── mongo_atlas.py          # MongoDB Atlas API interactions
    ├── mysql_gcp.py            # MySQL Interactions in GCP
    ├── views.py                # Main views handling user requests
    └── urls.py                 # App level routes and endpoints

Step-by-Step Execution Guide

Follow these steps precisely to get the application running on your local machine:

1. Clone the Repository

Open your terminal and clone the repository, then navigate into the project directory:

git clone https://github.com/mpandey95/db_access_management.git
cd db_access_management

2. Set up virtual environment:

python3 -m venv venv
source venv/bin/activate  # On Windows use `venv\Scripts\activate`

3. Install Dependencies:

pip install -r requirements.txt

4. Environment Variables Configs (.env): Create a .env in the db_access_management/ directory. Required environment variables include:

   • Database Configs: DB_NAME, DB_USER, DB_PASSWORD, DB_HOST, DB_PORT
   • Workspace SDK: GOOGLE_ADMIN_USER, GOOGLE_ADMIN_CREDENTIALS_JSON
   • Email Configurations: COMPANY_EMAIL_DOMAIN (e.g., @example.com), DELEGATED_ADMIN_EMAIL, TEST_USER_EMAIL, TECH_SUPPORT_EMAIL, and INFRA_TEAM_EMAILS
   • You can toggle debugging modes adjusting CLOUD_RUN and DEBUG variables.

5. Run the Application locally:

python manage.py makemigrations
python manage.py migrate
python manage.py runserver

Testing & Troubleshooting

Before running the entire web server, you can dynamically verify that your Google Credentials properly authenticate against your APIs using the standalone SDK scripts:

1. Test Google Workspace integration:

   python db_access/test_admin_sdk.py

2. Test Google Cloud Logging logic:

   python db_access/debug_logs.py

Deployment (GCP)

You can deploy this application securely to Google Cloud Run using either manual CLI commands or automated Infrastructure-as-Code.

Method 1: Manual Deployment (Without Terraform)

You can leverage the existing cloudbuild.yaml via the Google Cloud CLI to instantly build and deploy the container.

1. Authenticate with your GCP project:

   gcloud auth login
   gcloud config set project your-gcp-project-id

2. Manually trigger the Cloud Build pipeline:

   gcloud builds submit --config cloudbuild.yaml .

Alternatively, you can directly deploy the source to Cloud Run:

gcloud run deploy db-access-management \
  --source . \
  --region asia-south1 \
  --allow-unauthenticated

Method 2: IaC Deployment (With Terraform)

To deploy this strictly via Terraform, first push your image to Artifact Registry, then utilize the google_cloud_run_v2_service block to manage it:

resource "google_cloud_run_v2_service" "db_access_app" {
  name     = "db-access-management"
  location = "asia-south1"

  template {
    containers {
      image = "asia-south1-docker.pkg.dev/your-gcp-project-id/applications/db_access_management:latest"
      
      env {
        name  = "CLOUD_RUN"
        value = "true"
      }

      # Best Practice: Pull secrets from GCP Secret Manager
      env {
        name = "DB_PASSWORD"
        value_source {
          secret_key_ref {
            secret  = "projects/your-gcp-project-id/secrets/db_password"
            version = "latest"
          }
        }
      }
    }
  }
}

# (Optional) Allow internal or public access
resource "google_cloud_run_service_iam_member" "public_access" {
  location = google_cloud_run_v2_service.db_access_app.location
  project  = google_cloud_run_v2_service.db_access_app.project
  service  = google_cloud_run_v2_service.db_access_app.name
  role     = "roles/run.invoker"
  member   = "allUsers" # Or specify Google Workspace domain
}

Run the standard deployment workflow:

terraform init
terraform plan
terraform apply

---

Author

Manish Pandey — Senior DevOps/Platform Engineer

🛠️ Technology Stack

☁️ Cloud & Platforms

⚙️ Platform & DevOps

🔐 Security & Ops

🧑‍💻 Programming

💾 Database

Connect With Me

• GitHub: @mpandey95
• LinkedIn: manish-pandey95
• Email: mnshkmrpnd@gmail.com

License

See LICENSE | Support: GitHub • LinkedIn