Log Insights on Cloud SQL — Service Account + Logging Viewer
Grant a Google Cloud service account access to your instance's logs.
The pipeline: Cloud SQL → Cloud Logging → MonPG reads via the logging.entries.list API. No Pub/Sub needed for the basic flow.
Create a service account
gcloud iam service-accounts create monpg-log-reader --display-name="MonPG Log Reader" --project=<your-project>Grant minimal roles
Two flavors based on your security posture.
Project-scoped (simplest)
gcloud projects add-iam-policy-binding <your-project> --member="serviceAccount:monpg-log-reader@<your-project>.iam.gserviceaccount.com" --role="roles/logging.viewer"
gcloud projects add-iam-policy-binding <your-project> --member="serviceAccount:monpg-log-reader@<your-project>.iam.gserviceaccount.com" --role="roles/cloudsql.viewer"Log-bucket-scoped (more restrictive)
If you sink Cloud SQL logs to a specific log bucket, grant roles/logging.viewAccessor only on that bucket. Contact support for a Terraform snippet — it's a few lines and we'd rather you copy ours than write it from scratch.
Generate a JSON key
gcloud iam service-accounts keys create monpg-log-reader.json --iam-account=monpg-log-reader@<your-project>.iam.gserviceaccount.comPaste the JSON content into MonPG. We store it encrypted with Azure Key Vault.
Test
Settings → Servers → [your server] → GCP cloud integration. Paste JSON + project ID + instance ID. Click Test — we fetch the last 100 log entries to verify the connection actually works.
Cloud SQL Auth
MonPG doesn't use Cloud SQL Auth Proxy by default. The hosted fleet connects directly over public IP plus an allowlist. If your security policy requires private-IP-only access, switch to agent mode and run the agent in your VPC where it can reach Cloud SQL's private endpoint.