In CloudSQL, how to allow members of {cloudsqliamuser} to create an extension

[Pierre Leroy]

Hi everyone, 

We're currently considering switching the way we connect our services to our Postgres DB managed in Cloud SQL and leverage IAM authentication to use a service account. 

The last blocking point is the extensions ! Each time we deploy a new version of our service, they run a SQL script to update their DB schemas. And from time to time, those scripts will contain a line with `CREATE EXTENSION .. IF NOT EXISTS; `

With the 'postgres' role , as it inherits from  cloudsqlsuperuser, we have no problem but when we try with a service account, it fails with an error like this:
```

permission denied to create extension "pg_trgm"

Indice : Must be superuser to create this extension.

```

The doc says the user must have superuser privileges which I rather understand like must be inherit from the cloudsqlsuperuser but it isn't the case for a service account. 

So is there any way to allow members of {cloudsqliamaccount} or {cloudsqliamuser} to create extensions or should we just manage them separately and create them with a {cloudsqlsuperuser} account? 

Thanks in advance for your help

[gonzalezwalter]

Hello, 

The Cloud SQL documentation specifies that the super user administration of the PostreSQL database is Google-managed, in order to do maintenance, minor and major patches on the DB and OS.

In the Cloud SQL extension documentation page it is indicated that there is a default user "postgre" that is created on your behalf with create extension permissions.

Based on these factors it appears the best option would be to manage them separately with the default user 'postgre'.