From 0c1380d643573228a94ee06b83d62edd7ccd485a Mon Sep 17 00:00:00 2001
From: Jonathan Hess <hessjc@google.com>
Date: Thu, 22 Jan 2026 12:19:30 -0700
Subject: [PATCH] fix: Correctly set the credentials token source WIP: needs
 unit tests Fixes #2542

---
 internal/proxy/proxy.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index a28759553..73456b67c 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -363,7 +363,20 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		var iamAuthNEnabled bool
 		if c.IAMAuthN {
+			iamAuthNEnabled = true
+		} else {
+			for _, ic := range c.Instances {
+				if ic.IAMAuthN != nil && *ic.IAMAuthN {
+					iamAuthNEnabled = true
+					break
+				}
+			}
+		}
+
+		if iamAuthNEnabled {
 			iamLoginTS, err := impersonate.CredentialsTokenSource(
 				context.Background(),
 				impersonate.CredentialsConfig{