There are two versions of IAM database authentication for Cloud SQL essentially.

Manual IAM database authentication (official docs):

For this version you login to the database with the IAM principal (service account for your case) as the database username and pass an OAuth2 access token belonging to the IAM principal as the password.

Note: MySQL and Postgres both format the IAM database username differently. MySQL formats the database username as follows:

For an IAM user account, this is the user's email address, without the @ symbol or domain name. For example, for [email protected], enter test-user. For a service account, this is the service account's email address without the @project-id.iam.gserviceaccount.com suffix.

When using either version you need to make sure your <App Engine default service account> is formatted accordingly.

Automatic IAM database authentication (official docs):

For this version it requires the use of the Cloud SQL Proxy or a Cloud SQL Language Connector Library (Go, Node, Python, Java). These libraries will essentially manage fetching and continuously refreshing the OAuth2 token in the background and embed it as the password for you.

So as the end user you do not need to pass a password, the libraries or Proxy handle it for you.

.NET AppEngine Recommendation:

My recommendation for a .NET AppEngine app would be to use manual IAM database authentication since unfortunately there is not a Language Connector for .NET and the Proxy can be complex to run alongside your app.

There is a really good blog on Cloud SQL Postgres + IAM database authentication where you can essentially create your own version of automatic IAM authentication through the use of a dynamic password with UsePeriodicPasswordProvider, I wonder if the MySqlConnectionStringBuilder has similar functionality?