GoogleCloudPlatform
diff --git a/‎run/README.md
Lines changed: 3 additions & 0 deletions b/‎run/README.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎run/idp-sql/Dockerfile
Lines changed: 29 additions & 0 deletions b/‎run/idp-sql/Dockerfile
Lines changed: 29 additions & 0 deletions
diff --git a/‎run/idp-sql/README.md
Lines changed: 87 additions & 0 deletions b/‎run/idp-sql/README.md
Lines changed: 87 additions & 0 deletions
diff --git a/‎run/idp-sql/app.json
Lines changed: 27 additions & 0 deletions b/‎run/idp-sql/app.json
Lines changed: 27 additions & 0 deletions
diff --git a/‎run/idp-sql/credentials.py
Lines changed: 55 additions & 0 deletions b/‎run/idp-sql/credentials.py
Lines changed: 55 additions & 0 deletions
@@ -16,6 +16,7 @@ This directory contains samples for [Google Cloud Run](https://cloud.run). [Clou
 |[Cloud SQL (MySQL)][mysql]        | Use MySQL with Cloud Run    |      -        |
 |[Cloud SQL (Postgres)][postgres]  | Use Postgres with Cloud Run |      -        |
 |[Django][django]                  | Deploy Django on Cloud Run  |      -        |
+|[Identity Platform][idp-sql]      | Authenticate users and connect to a Cloud SQL postgreSQL databases | [<img src="https://storage.googleapis.com/cloudrun/button.svg" alt="Run on Google Cloud" height="30">][run_button_idpsql] |
 
 For more Cloud Run samples beyond Python, see the main list in the [Cloud Run Samples repository](https://github.com/GoogleCloudPlatform/cloud-run-samples).
 
@@ -111,6 +112,8 @@ for more information.
 [mysql]: ../cloud-sql/mysql/sqlalchemy
 [postgres]: ../cloud-sql/postgres/sqlalchemy
 [django]: django/
+[idp-sql]: idp-sql/
 [run_button_helloworld]: https://deploy.cloud.run/?git_repo=https://github.com/knative/docs&dir=docs/serving/samples/hello-world/helloworld-python
 [run_button_pubsub]: https://deploy.cloud.run/?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&dir=run/pubsub
+[run_button_idpsql]: https://deploy.cloud.run/?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&dir=run/idp-sql
 [testing]: https://cloud.google.com/run/docs/testing/local#running_locally_using_docker_with_access_to_services
@@ -0,0 +1,29 @@
+# Copyright 2021 Google LLC. All rights reserved.
+# Use of this source code is governed by the Apache 2.0
+# license that can be found in the LICENSE file.
+
+# Use the official Python image.
+# https://hub.docker.com/_/python
+FROM python:3.9
+
+# Send stdout/stderr out, do not buffer.
+ENV PYTHONUNBUFFERED 1
+
+# Copy application dependency manifests to the container image.
+# Copying this separately prevents re-running pip install on every code change.
+COPY requirements.txt ./
+
+# Install production dependencies.
+RUN set -ex; \
+    pip install -r requirements.txt;
+
+# Copy local code to the container image.
+ENV APP_HOME /app
+WORKDIR $APP_HOME
+COPY . ./
+
+# Run the web service on container startup. Here we use the gunicorn
+# webserver, with one worker process and 8 threads.
+# For environments with multiple CPU cores, increase the number of workers
+# to be equal to the cores available.
+CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 main:app
@@ -0,0 +1,87 @@
+# Cloud Run End User Authentication with PostgreSQL Database Sample
+
+This sample integrates with the Identity Platform to authenticate users to the
+application and connects to a Cloud SQL postgreSQL database for data storage.
+
+Use it with the [End user Authentication for Cloud Run](http://cloud.google.com/run/docs/tutorials/identity-platform).
+
+For more details on how to work with this sample read the [Google Cloud Run Python Samples README](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/run).
+
+[![Run on Google Cloud](https://deploy.cloud.run/button.svg)](https://deploy.cloud.run)
+
+## Dependencies
+
+* **flask**: web server framework
+* **google-cloud-secret-manager**: Google Secret Manager client library
+* **firebase-admin**: verifying JWT token
+* **sqlalchemy + pg8000**: postgresql interface
+* **Firebase JavaScript SDK**: client-side library for authentication flow
+
+## Environment Variables
+
+Cloud Run services can be [configured with Environment Variables](https://cloud.google.com/run/docs/configuring/environment-variables).
+Required variables for this sample include:
+
+* `CLOUD_SQL_CREDENTIALS_SECRET`: the resource ID of the secret, in format: `projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION`. See [postgres-secrets.json](postgres-secrets.json) for secret content.
+
+OR
+
+* `CLOUD_SQL_CONNECTION_NAME`: Cloud SQL instance name, in format: `<MY-PROJECT>:<INSTANCE-REGION>:<MY-DATABASE>`
+* `DB_NAME`: Cloud SQL postgreSQL database name
+* `DB_USER`: database user
+* `DB_PASSWORD`: database password
+
+Other environment variables:
+
+* Set `TABLE` to change the postgreSQL database table name.
+
+* Set `DB_HOST` to use the proxy with TCP. See instructions below.
+
+* Set `DB_SOCKET_PATH` to change the directory when using the proxy with Unix sockets.
+  See instructions below.
+
+## Production Considerations
+
+* Both `postgres-secrets.json` and `static/config.js` should not be committed to
+  a git repository and should be added to `.gitignore`.
+
+* Saving credentials directly as environment variables is convenient for local testing,
+  but not secure for production; therefore using `CLOUD_SQL_CREDENTIALS_SECRET`
+  in combination with the Cloud Secrets Manager is recommended.  
+
+## Running Locally
+
+1. Set [environment variables](#environment-variables).
+
+1. To run this application locally, download and install the `cloud_sql_proxy` by
+[following the instructions](https://cloud.google.com/sql/docs/postgres/sql-proxy#install).
+
+The proxy can be used with a TCP connection or a Unix Domain Socket. On Linux or
+Mac OS you can use either option, but on Windows the proxy currently requires a TCP
+connection.
+
+[Instructions to launch proxy with Unix Domain Socket](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/cloud-sql/postgres/sqlalchemy#launch-proxy-with-unix-domain-socket)
+
+[Instructions to launch proxy with TCP](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/cloud-sql/postgres/sqlalchemy#launch-proxy-with-tcp)
+
+
+## Testing
+
+Tests expect the Cloud SQL instance to already be created and environment Variables
+to be set.
+
+### Unit tests
+
+```
+pytest test/test_app.py
+```
+
+### System Tests
+
+```
+export GOOGLE_CLOUD_PROJECT=<YOUR_PROJECT_ID>
+export CLOUD_SQL_CONNECTION_NAME=<YOUR_CLOUD_SQL_CONNECTION_NAME>
+export DB_PASSWORD=<POSTGRESQL_PASSWORD>
+export IDP_KEY=<IDENTITY_PLATFORM_API_KEY>  # See tutorial for creation of this key ("API_KEY")
+pytest test/e2e_test.py
+```
@@ -0,0 +1,27 @@
+{
+  "name": "idp-sql",
+  "env": {
+    "DB_PASSWORD": {
+      "description": "postgreSQL password for root user"
+    },
+    "CLOUD_SQL_INSTANCE_NAME": {
+      "description": "Cloud SQL instance name",
+      "value": "idp-sql-instance"
+    },
+    "API_KEY": {
+      "description": "Identity Platform API key from Application Setup Details"
+    }
+  },
+  "hooks": {
+    "precreate": {
+      "commands": [
+        "./setup.sh"
+      ]
+    },
+    "postcreate": {
+      "commands": [
+        "./postcreate.sh"
+      ]
+    }
+  }
+}
@@ -0,0 +1,55 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+import os
+from typing import Dict
+
+from google.cloud import secretmanager
+
+from middleware import logger
+
+
+# [START cloudrun_user_auth_secrets]
+def get_cred_config() -> Dict[str, str]:
+    if "CLOUD_SQL_CREDENTIALS_SECRET" in os.environ:
+        name = os.environ["CLOUD_SQL_CREDENTIALS_SECRET"]
+        client = secretmanager.SecretManagerServiceClient()
+        response = client.access_secret_version(request={"name": name})
+        logger.info("Credentials pulled from CLOUD_SQL_CREDENTIALS_SECRET")
+        return json.loads(response.payload.data.decode("UTF-8"))
+    # [END cloudrun_user_auth_secrets]
+    else:
+        logger.info(
+            "CLOUD_SQL_CREDENTIALS_SECRET env var not set. Defaulting to environment variables."
+        )
+        if "DB_USER" not in os.environ:
+            raise Exception("DB_USER needs to be set.")
+
+        if "DB_PASSWORD" not in os.environ:
+            raise Exception("DB_PASSWORD needs to be set.")
+
+        if "DB_NAME" not in os.environ:
+            raise Exception("DB_NAME needs to be set.")
+
+        if "CLOUD_SQL_CONNECTION_NAME" not in os.environ:
+            raise Exception("CLOUD_SQL_CONNECTION_NAME needs to be set.")
+
+        return {
+            "DB_USER": os.environ["DB_USER"],
+            "DB_PASSWORD": os.environ["DB_PASSWORD"],
+            "DB_NAME": os.environ["DB_NAME"],
+            "DB_HOST": os.environ.get("DB_HOST", None),
+            "CLOUD_SQL_CONNECTION_NAME": os.environ["CLOUD_SQL_CONNECTION_NAME"],
+        }