Re-enable password auth when CLOUD_SQL_IAM_AUTH is false

This branch now throws whenever CLOUD_SQL_IAM_AUTH=false, which removes previously supported Cloud SQL password authentication and causes runtime failures for any deployment that explicitly disables IAM auth. The prior implementation used CLOUD_SQL_PASSWORD in this path, and repository logic still treats IAM as a default that can be overridden (for example, transfers/transfer.py says it should default to IAM unless explicitly disabled), so this is a behavioral regression that can break existing cloudsql environments on first DB use.

Useful? React with 👍 / 👎.

Keep Alembic online migrations compatible with non-IAM auth

The migration connector now hard-fails when CLOUD_SQL_IAM_AUTH is false, so alembic upgrade cannot run in Cloud SQL setups that use DB password auth instead of IAM tokens. This also leaves inconsistent behavior in the same file because build_database_url() still has a non-IAM/password branch, indicating non-IAM mode is expected to exist, but online migrations now crash before connecting.

Useful? React with 👍 / 👎.

The get_bool_env function can return a string value if the environment variable is set to something other than recognized boolean values ("true", "1", "yes", "false", "0", "no"). This could lead to unexpected behavior in the if not use_iam_auth: check. Consider adding validation to ensure use_iam_auth is actually a boolean, or handle the case where it might be an unexpected string value.

The get_bool_env function can return a string value if the environment variable is set to something other than recognized boolean values ("true", "1", "yes", "false", "0", "no"). This could lead to unexpected behavior in the if not use_iam_auth: check. Consider adding validation to ensure use_iam_auth is actually a boolean, or handle the case where it might be an unexpected string value.

Since the code now enforces that IAM auth must be enabled (raising an error if it's not), the enable_iam_auth parameter in connect_kwargs should be hardcoded to True instead of using the use_iam_auth variable. This makes the intent clearer and avoids passing a value that's always True at this point in the code.

Since the code now enforces that IAM auth must be enabled (raising an error if it's not), the enable_iam_auth parameter in connect_kwargs should be hardcoded to True instead of using the use_iam_auth variable. This makes the intent clearer and avoids passing a value that's always True at this point in the code.

Since the code now enforces that IAM auth must be enabled (raising an error if it's not), the enable_iam_auth parameter in connect_kwargs should be hardcoded to True instead of using the use_iam_auth variable. This makes the intent clearer and avoids passing a value that's always True at this point in the code.