Label studio with cloud run and vpc access conector & PRIVATE CLOUD SQL

Daniel_Barria_Andrad · February 28, 2025, 6:50pm

Hi everyone

Im using a docker image for label studio 1.15.0 and Im trying to deploy using cloud run and a private Cloud SQL.

My question is:

this image it’s prepare to use a private SQL connection with SSL?

Do you have any experience with this? or workaround?

Thank you

makseq · March 1, 2025, 3:11am

Yes, the Label Studio 1.15.0 Docker image might work with a secure (SSL) connection to a private Cloud SQL instance, but the functionality you are asking about is more relevant to the enterprise version of LSE, and we have not tested or designed it for the open-source version. There are two common approaches:

Using Cloud SQL Proxy (Recommended):
When running on Cloud Run, it’s common to deploy the Cloud SQL Proxy as a sidecar or include it within your container. The proxy handles the SSL‐certificate management and secure connection details, so your Label Studio container can simply connect to a local proxy endpoint without extra SSL settings. This avoids the need to manually mount the certificates or modify your DATABASE_URL with SSL parameters.
Direct SSL Configuration:
If you prefer to connect directly (without using the Cloud SQL Proxy), you must:

Mount the necessary certificates (e.g., the server CA, client certificate, and client key) into your container (via volumes or secrets).
Set up your environment variables appropriately. For example, your DATABASE_URL could include query parameters such as:

sslmode=verify-full
sslrootcert=/path/to/ca-cert.pem
sslcert=/path/to/client-cert.pem
sslkey=/path/to/client-key.pem

Alternatively, you can also set:
* DATABASE_SSLMODE=require (or verify-full if you want strict verification),
* DATABASE_SSLROOTCERT to point to your CA certificate,
* DATABASE_SSLCERT for your client certificate, and
* DATABASE_SSLKEY for your client key.This direct SSL method works if all certificate files are reachable inside your Cloud Run container and your Cloud SQL instance is configured to require trusted client certificates.

In our deployments, using the Cloud SQL Proxy is usually the “workaround of choice” since it simplifies the secure connection process and avoids potential pitfalls with direct SSL configuration.

For more details on securing Label Studio and connecting it to external databases, please see the security documentation:

Daniel_Barria_Andrad · March 3, 2025, 4:07pm

Thanks for your answers. Yes. I’m agree with you I think SQL proxy is the right approach for this.

I have a second question.

For the db host variable:
I need to use the string connection that appears in Cloud SQL instance or the private IP?

Topic		Replies	Views
Constant logging out with label studio deployed on Cloud Run Label Studio Support	2	192	June 21, 2024
How to validate the Label Studio connection to a PostgreSQL database when set up on AWS EC2 using Docker Compose? Label Studio Support deployment , ec2 , postgres	0	310	May 13, 2024
Running label studio on https with nginx; error when connecting local storage Label Studio Support	0	12	March 19, 2025
Label studio and Minio Local Setup Label Studio Support	1	485	October 1, 2024
Enterprise Beta - ML Connection Machine Learning	3	40	September 18, 2024

Label studio with cloud run and vpc access conector & PRIVATE CLOUD SQL

Related topics