Re: [google-cloud-sql-discuss] Can only get proxy service account to work when given Project Owner permissions

So when I run the cloud_sql_proxy script locally with a service account that only has Cloud SQL Client permissions, here's the error the proxy service gives when I try to connect with a MySQL client at 127.0.0.1:3306 with a valid user:

$   ./cloud_sql_proxy -instances=[redacted]=tcp:3306                   -credential_file=cloud-sql-client.json

2017/02/10 17:37:57 using credential file for authentication; email=cloud-sql-client@[project id].iam.gserviceaccount.com

2017/02/10 17:37:57 Listening on 127.0.0.1:3306 for [project id]:us-east1:prod1

2017/02/10 17:37:57 Ready for new connections

2017/02/10 17:38:02 New connection for "[project id]:us-east1:prod1"

2017/02/10 17:38:07 couldn't connect to "[project id]:us-east1:prod1": ensure that the account has access to "[project id]:us-east1:prod1" (and make sure there's no typo in that name). Error during get instance [project id]:us-east1:prod1: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

But when I connect using a service account that has Project Owner permissions, the connection works and I see this output:

$   ./cloud_sql_proxy -instances=[project id]:us-east1:prod1=tcp:3306 -credential_file=service-admin.json

2017/02/10 17:38:33 using credential file for authentication; email=service-admin@[project id].iam.gserviceaccount.com

2017/02/10 17:38:33 Listening on 127.0.0.1:3306 for [project id]:us-east1:prod1

2017/02/10 17:38:33 Ready for new connections

2017/02/10 17:38:35 New connection for "[project id]:us-east1:prod1"

2017/02/10 17:38:47 Client closed local connection on 127.0.0.1:3306

Thanks in advance for your help - I know you all have lots of folks to talk to here.


On Thursday, February 9, 2017 at 10:48:41 AM UTC-8, Vadim Berezniker wrote:

"Cloud SQL Client" should be sufficient.

Please post the error you are seeing from the Proxy, otherwise it's hard to say what's going on.

On Thu, Feb 9, 2017 at 5:56 AM Andrew Baker <andrew.t...@gmail.com> wrote:

Hi there,

I was following these instructions (https://cloud.google.com/sql/docs/container-engine-connect) which largely worked, but my MySQL connections kept getting 403'd inside my GKE containers.

So I tried connecting locally using these instructions (https://cloud.google.com/sql/docs/mysql-connect-proxy) and that didn't work either. In the end, the only thing that did work is creating a service account with "Project Owner" permissions. Now I can connect locally and in my Kubernetes cluster.

I tried making service accounts with Cloud SQL Client, Editor, and Admin - none of them were good enough to allow connections from my GKE containers.

I booted both my Cloud SQL instance and my cluster tonight, if that's relevant.

Any ideas? I can keep hacking on my app with the current setup, but I'd prefer not to grant that proxy container such broad permissions.

Thanks.

-Andrew

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/50f0720a-7788-4183-aa17-7ced364844ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/eb733a6c-ed4e-417b-999e-49fe4a8dbc9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.