DataIntegrationGroup · jirhiker · Feb 27, 2026 · Feb 27, 2026 · Copilot · Feb 27, 2026
diff --git a/alembic/env.py b/alembic/env.py
@@ -59,7 +59,7 @@ def build_database_url():
         user = os.environ.get("CLOUD_SQL_USER", "")
         password = os.environ.get("CLOUD_SQL_PASSWORD", "")
         database = os.environ.get("CLOUD_SQL_DATABASE", "")
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
         # Host is provided by connector, so leave blank.
         if use_iam_auth:
             return f"postgresql+pg8000://{user}@/{database}"
@@ -122,7 +122,7 @@ def run_migrations_online() -> None:
         user = os.environ.get("CLOUD_SQL_USER")
         password = os.environ.get("CLOUD_SQL_PASSWORD")
         database = os.environ.get("CLOUD_SQL_DATABASE")
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
         ip_type = os.environ.get("CLOUD_SQL_IP_TYPE", "public")
 
         connector = Connector()

diff --git a/db/engine.py b/db/engine.py
@@ -14,7 +14,6 @@
 # limitations under the License.
 # ===============================================================================
 
-import asyncio
 import copy
 import getpass
 import os
@@ -24,7 +23,7 @@
 from sqlalchemy import (
     create_engine,
 )
-from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
+from sqlalchemy.ext.asyncio import create_async_engine
 from sqlalchemy.orm import (
     sessionmaker,
 )
@@ -72,7 +71,7 @@ def asyncify_connection():
         user = os.environ.get("CLOUD_SQL_USER")
         password = os.environ.get("CLOUD_SQL_PASSWORD")
         database = os.environ.get("CLOUD_SQL_DATABASE")
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
+        if "CLOUD_SQL_IAM_AUTH" in os.environ:
+            # Honor explicit configuration of IAM auth.
+            use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        else:
+            # Derive a safe default: prefer password auth when a password is set.
+            use_iam_auth = False if password else True
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
+        if "CLOUD_SQL_IAM_AUTH" in os.environ:
+            # Honor explicit configuration of IAM auth.
+            use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        else:
+            # Derive a safe default: prefer password auth when a password is set.
+            use_iam_auth = False if password else True
         ip_type = os.environ.get("CLOUD_SQL_IP_TYPE", "public")
 
         connect_kwargs = {
@@ -109,7 +108,7 @@ def init_connection_pool(connector):
         user = os.environ.get("CLOUD_SQL_USER")
         password = os.environ.get("CLOUD_SQL_PASSWORD")
         database = os.environ.get("CLOUD_SQL_DATABASE")
-        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
+        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
         ip_type = os.environ.get("CLOUD_SQL_IP_TYPE", "public")
 
         def getconn():