GoogleCloudPlatform
diff --git a/‎docs/jdbc-mariadb.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/jdbc-mariadb.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎docs/jdbc-mysql.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/jdbc-mysql.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎docs/jdbc-postgres.md‎
Lines changed: 57 additions & 0 deletions b/‎docs/jdbc-postgres.md‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎docs/r2dbc-mysql.md‎
Lines changed: 62 additions & 0 deletions b/‎docs/r2dbc-mysql.md‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎docs/r2dbc-postgres.md‎
Lines changed: 61 additions & 0 deletions b/‎docs/r2dbc-postgres.md‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎docs/r2dbc-sqlserver.md‎
Lines changed: 61 additions & 0 deletions b/‎docs/r2dbc-sqlserver.md‎
Lines changed: 61 additions & 0 deletions
@@ -96,6 +96,59 @@ Note: a non-empty string value for the `password` property must be set. While th
 be ignored when connecting with the Cloud SQL Connector using IAM auth, leaving it empty will cause
 driver-level validations to fail.
 
+### Service Account Impersonation
+
+The Java Connector supports service account impersonation with the
+`cloudSqlTargetPrincipal` JDBC connection property. When enabled,
+all API requests are made impersonating the supplied service account. The
+IAM principal must have the iam.serviceAccounts.getAccessToken permission or
+the role roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+Example:
+```java
+// Set up URL parameters
+String jdbcURL = String.format("jdbc:mariadb://ignoreme:123/%s", DB_NAME);
+Properties connProps = new Properties();
+connProps.setProperty("user", "mysql-iam-user@gmail.com");
+connProps.setProperty("password", "password");
+connProps.setProperty("sslmode", "disable");
+connProps.setProperty("socketFactory", "com.google.cloud.sql.mariadb.SocketFactory");
+connProps.setProperty("cloudSqlInstance", "project:region:instance");
+connProps.setProperty("enableIamAuth", "true");
+connProps.setProperty("cloudSqlTargetPrincipal", "mysql-iam-user@gmail.com");
+
+// Initialize connection pool
+HikariConfig config = new HikariConfig();
+config.setJdbcUrl(jdbcURL);
+config.setDataSourceProperties(connProps);
+config.setConnectionTimeout(10000); // 10s
+
+HikariDataSource connectionPool = new HikariDataSource(config);
+```
+
+In addition, the `cloudSqlDelegates` property controls impersonation delegation. 
+The value is a comma-separated list of service accounts containing chained 
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must 
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on 
+`cloudSqlTargetPrincipal`. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+targetPrincipal service account.
+
+
+For example:
+```java
+connProps.setProperty("cloudSqlTargetPrincipal", "TARGET_SERVICE_ACCOUNT");
+connProps.setProperty("cloudSqlDelegates", "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
 ## Examples
 
 Examples for using the Cloud SQL JDBC Connector for MySQL/MariaDB can be found by looking at the integration tests in this repository.
 
@@ -94,6 +94,59 @@ Example:
  HikariDataSource connectionPool = new HikariDataSource(config);
 ```
 
+### Service Account Impersonation
+
+The Java Connector supports service account impersonation with the
+`cloudSqlTargetPrincipal` JDBC connection property. When enabled,
+all API requests are made impersonating the supplied service account. The
+IAM principal must have the iam.serviceAccounts.getAccessToken permission or
+the role roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+Example:
+```java
+// Set up URL parameters
+String jdbcURL = String.format("jdbc:mysql:///%s", DB_NAME);
+Properties connProps = new Properties();
+connProps.setProperty("user", "iam-user"); // iam-user@gmail.com
+connProps.setProperty("sslmode", "disable");
+connProps.setProperty("socketFactory", "com.google.cloud.sql.postgres.SocketFactory");
+connProps.setProperty("cloudSqlInstance", "project:region:instance");
+connProps.setProperty("enableIamAuth", "true");
+connProps.setProperty("cloudSqlTargetPrincipal", "iam-user@gmail.com");
+
+// Initialize connection pool
+HikariConfig config = new HikariConfig();
+config.setJdbcUrl(jdbcURL);
+config.setDataSourceProperties(connProps);
+config.setConnectionTimeout(10000); // 10s
+
+HikariDataSource connectionPool = new HikariDataSource(config);
+```
+
+In addition, the `cloudSqlDelegates` property controls impersonation delegation.
+The value is a comma-separated list of service accounts containing chained
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on
+`cloudSqlTargetPrincipal`. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+`cloudSqlTargetPrincipal` service account.
+
+
+For example:
+```java
+connProps.setProperty("cloudSqlTargetPrincipal", "TARGET_SERVICE_ACCOUNT");
+connProps.setProperty("cloudSqlDelegates", "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
+
 ### Connection via Unix Sockets
 
 To connect using a Unix domain socket (such as the one created by the Cloud SQL 
 
@@ -91,6 +91,63 @@ Note: a non-empty string value for the `password` property must be set. While th
 be ignored when connecting with the Cloud SQL Connector using IAM auth, leaving it empty will cause
 driver-level validations to fail.
 
+
+### Service Account Impersonation
+
+The Java Connector supports service account impersonation with the
+`cloudSqlTargetPrincipal` JDBC connection property. When enabled,
+all API requests are made impersonating the supplied service account. The
+IAM principal must have the iam.serviceAccounts.getAccessToken permission or
+the role roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+Example:
+
+```java
+// Set up URL parameters
+String jdbcURL = String.format("jdbc:postgresql:///%s", DB_NAME);
+Properties connProps = new Properties();
+connProps.setProperty("user", "postgres-iam-user@gmail.com");
+connProps.setProperty("password", "password");
+connProps.setProperty("sslmode", "disable");
+connProps.setProperty("socketFactory", "com.google.cloud.sql.postgres.SocketFactory");
+connProps.setProperty("cloudSqlInstance", "project:region:instance");
+connProps.setProperty("enableIamAuth", "true");
+connProps.setProperty("cloudSqlTargetPrincipal", "postgres-iam-user@gmail.com");
+
+// Initialize connection pool
+HikariConfig config = new HikariConfig();
+config.setJdbcUrl(jdbcURL);
+config.setDataSourceProperties(connProps);
+config.setConnectionTimeout(10000); // 10s
+
+HikariDataSource connectionPool = new HikariDataSource(config);
+```
+
+
+In addition, the `cloudSqlDelegates` property controls impersonation delegation.
+The value is a comma-separated list of service accounts containing chained
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on
+`cloudSqlTargetPrincipal`. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+cloudSqlTargetPrincipal service account.
+
+
+For example:
+```java
+connProps.setProperty("cloudSqlTargetPrincipal", "TARGET_SERVICE_ACCOUNT");
+connProps.setProperty("cloudSqlDelegates", "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
+
 ### Connection via Unix Sockets
 
 To connect using a Unix domain socket (such as the one created by the Cloud SQL 
 
@@ -35,6 +35,68 @@ Add the following parameters:
 | DB_USER | MySQL username |
 | DB_PASS | MySQL user's password |
 
+## Service Account Delegation
+
+
+The Java Connector supports service account impersonation with the
+`TARGET_PRINCIPAL` option. When enabled, all API requests are made impersonating
+the supplied service account. The IAM principal must have the
+iam.serviceAccounts.getAccessToken permission or the role
+roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+```java
+// Set up ConnectionFactoryOptions
+ConnectionFactoryOptions options = ConnectionFactoryOptions.builder()
+ .option(DRIVER, "gcp")
+ .option(PROTOCOL, "mysql")
+ .option(PASSWORD, "password")
+ .option(USER, "mysql-iam-user@gmail.com")
+ .option(DATABASE, "my_db")
+ .option(HOST, "project:region:instance")
+ .option(ENABLE_IAM_AUTH, true)
+ .option(TARGET_PRINCIPAL, "mysql-iam-user@gmail.com")
+ .build();
+
+// Initialize connection pool
+ConnectionFactory connectionFactory = ConnectionFactories.get(options);
+ConnectionPoolConfiguration configuration = ConnectionPoolConfiguration
+ .builder(connectionFactory)
+ .build();
+
+this.connectionPool = new ConnectionPool(configuration);
+```
+
+In addition, the `DELEGATES` option controls impersonation delegation.
+The value is a comma-separated list of service accounts containing chained
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on
+target principal. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+target principal service account.
+
+
+For example:
+```java
+options.option(TARGET_PRINCIPAL, "TARGET_SERVICE_ACCOUNT");
+options.option(DELEGATES, "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
+In addition, the `DELEGATES` option supports an impersonation delegation chain
+where the value is a comma-separated list of service accounts. The first service
+account in the list is the impersonation target. Each subsequent service
+account is a delegate to the previous service account. When delegation is
+used, each delegate must have the permissions named above on the service
+account it is delegating to.
+
+
 ## Examples
 
 Examples for using the Cloud SQL JDBC Connector for Postgres can be found by looking at the integration tests in this repository.
 
@@ -73,6 +73,67 @@ Note: a non-empty string value for the `password` property must be set. While th
 be ignored when connecting with the Cloud SQL Connector using IAM auth, leaving it empty will cause
 driver-level validations to fail.
 
+## Service Account Delegation
+
+The Java Connector supports service account impersonation with the
+`TARGET_PRINCIPAL` option. When enabled, all API requests are made impersonating
+the supplied service account. The IAM principal must have the 
+iam.serviceAccounts.getAccessToken permission or the role 
+roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+```java
+// Set up ConnectionFactoryOptions
+ConnectionFactoryOptions options = ConnectionFactoryOptions.builder()
+ .option(DRIVER, "gcp")
+ .option(PROTOCOL, "postgresql")
+ .option(PASSWORD, "password")
+ .option(USER, "postgres-iam-user@gmail.com")
+ .option(DATABASE, "my_db")
+ .option(HOST, "project:region:instance")
+ .option(ENABLE_IAM_AUTH, true)
+ .option(TARGET_PRINCIPAL, "postgres-iam-user@gmail.com,db-service-account@iam.gooogle.com")
+ .build();
+
+// Initialize connection pool
+ConnectionFactory connectionFactory = ConnectionFactories.get(options);
+ConnectionPoolConfiguration configuration = ConnectionPoolConfiguration
+ .builder(connectionFactory)
+ .build();
+
+this.connectionPool = new ConnectionPool(configuration);
+```
+
+In addition, the `DELEGATES` option controls impersonation delegation.
+The value is a comma-separated list of service accounts containing chained
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on
+target principal. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+target principal service account.
+
+
+For example:
+```java
+options.option(TARGET_PRINCIPAL, "TARGET_SERVICE_ACCOUNT");
+options.option(DELEGATES, "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
+In addition, the `DELEGATES` option supports an impersonation delegation chain
+where the value is a comma-separated list of service accounts. The first service
+account in the list is the impersonation target. Each subsequent service
+account is a delegate to the previous service account. When delegation is
+used, each delegate must have the permissions named above on the service
+account it is delegating to.
+
+
 ## Examples
 
 Examples for using the Cloud SQL JDBC Connector for Postgres can be found by looking at the integration tests in this repository.
 
@@ -34,6 +34,67 @@ Add the following parameters:
 | DB_USER | SQL Server username |
 | DB_PASS | SQL Server user's password |
 
+
+## Service Account Delegation
+The Java Connector supports service account impersonation with the
+`TARGET_PRINCIPAL` option. When enabled, all API requests are made impersonating
+the supplied service account. The IAM principal must have the
+iam.serviceAccounts.getAccessToken permission or the role
+roles/iam.serviceAccounts.serviceAccountTokenCreator.
+
+```java
+// Set up ConnectionFactoryOptions
+ConnectionFactoryOptions options = ConnectionFactoryOptions.builder()
+ .option(DRIVER, "gcp")
+ .option(PROTOCOL, "mssql")
+ .option(PASSWORD, "password")
+ .option(USER, "my_db_user")
+ .option(DATABASE, "my_db")
+ .option(HOST, "project:region:instance")
+ .option(TARGET_PRINCIPAL, "mssql-iam-user@gmail.com,db-service-account@iam.gooogle.com")
+ .build();
+
+// Initialize connection pool
+ConnectionFactory connectionFactory = ConnectionFactories.get(options);
+ConnectionPoolConfiguration configuration = ConnectionPoolConfiguration
+ .builder(connectionFactory)
+ .build();
+
+this.connectionPool = new ConnectionPool(configuration);
+```
+
+In addition, the `DELEGATES` option controls impersonation delegation.
+The value is a comma-separated list of service accounts containing chained
+list of delegates required to grant the final access_token. If set,
+the sequence of identities must have "Service Account Token Creator" capability
+granted to the preceding identity. For example, if set to 
+`"serviceAccountB,serviceAccountC"`, the application default credentials must
+have the Token Creator role on serviceAccountB. serviceAccountB must have
+the Token Creator on serviceAccountC. Finally, C must have Token Creator on
+target principal. If unset, the application default credential principal
+must "Service Account Token Creator" capability granted that role on the
+target principal service account.
+
+
+For example:
+```java
+options.option(TARGET_PRINCIPAL, "TARGET_SERVICE_ACCOUNT");
+options.option(DELEGATES, "SERVICE_ACCOUNT_1,SERVICE_ACCOUNT_2");
+```
+
+In this example, the environment's application default principal impersonates
+SERVICE_ACCOUNT_1 which impersonates SERVICE_ACCOUNT_2 which then
+impersonates the TARGET_SERVICE_ACCOUNT.
+
+In addition, the `DELEGATES` option supports an impersonation delegation chain
+where the value is a comma-separated list of service accounts. The first service
+account in the list is the impersonation target. Each subsequent service
+account is a delegate to the previous service account. When delegation is
+used, each delegate must have the permissions named above on the service
+account it is delegating to.
+
+
+
 ## Examples
 
 Examples for using the Cloud SQL JDBC Connector for Postgres can be found by looking at the integration tests in this repository.