So when I run the cloud_sql_proxy script locally with a service account that only has Cloud SQL Client permissions, here's the error the proxy service gives when I try to connect with a MySQL client at 127.0.0.1:3306 with a valid user:
But when I connect using a service account that has Project Owner permissions, the connection works and I see this output:
Thanks in advance for your help - I know you all have lots of folks to talk to here.
On Thursday, February 9, 2017 at 10:48:41 AM UTC-8, Vadim Berezniker wrote:
-- $ ./cloud_sql_proxy -instances=[redacted]=tcp:3306 -credential_file=cloud-sql-client.json2017/02/10 17:37:57 using credential file for authentication; email=cloud-sql-client@[project id].iam.gserviceaccount.com2017/02/10 17:37:57 Listening on 127.0.0.1:3306 for [project id]:us-east1:prod12017/02/10 17:37:57 Ready for new connections2017/02/10 17:38:02 New connection for "[project id]:us-east1:prod1"2017/02/10 17:38:07 couldn't connect to "[project id]:us-east1:prod1": ensure that the account has access to "[project id]:us-east1:prod1" (and make sure there's no typo in that name). Error during get instance [project id]:us-east1:prod1: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
$ ./cloud_sql_proxy -instances=[project id]:us-east1:prod1=tcp:3306 -credential_file=service-admin.json2017/02/10 17:38:33 using credential file for authentication; email=service-admin@[project id].iam.gserviceaccount.com2017/02/10 17:38:33 Listening on 127.0.0.1:3306 for [project id]:us-east1:prod12017/02/10 17:38:33 Ready for new connections2017/02/10 17:38:35 New connection for "[project id]:us-east1:prod1"2017/02/10 17:38:47 Client closed local connection on 127.0.0.1:3306
Thanks in advance for your help - I know you all have lots of folks to talk to here.
On Thursday, February 9, 2017 at 10:48:41 AM UTC-8, Vadim Berezniker wrote:
"Cloud SQL Client" should be sufficient.Please post the error you are seeing from the Proxy, otherwise it's hard to say what's going on.On Thu, Feb 9, 2017 at 5:56 AM Andrew Baker <andrew.t...@gmail.com> wrote:Hi there,--I was following these instructions (https://cloud.google.com/sql/docs/container-engine-connect ) which largely worked, but my MySQL connections kept getting 403'd inside my GKE containers.So I tried connecting locally using these instructions (https://cloud.google.com/sql/docs/mysql-connect-proxy ) and that didn't work either. In the end, the only thing that did work is creating a service account with "Project Owner" permissions. Now I can connect locally and in my Kubernetes cluster.I tried making service accounts with Cloud SQL Client, Editor, and Admin - none of them were good enough to allow connections from my GKE containers.I booted both my Cloud SQL instance and my cluster tonight, if that's relevant.Any ideas? I can keep hacking on my app with the current setup, but I'd prefer not to grant that proxy container such broad permissions.Thanks.-Andrew
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com .
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql- .discuss/50f0720a-7788-4183- aa17-7ced364844ae% 40googlegroups.com
For more options, visit https://groups.google.com/d/optout .
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/eb733a6c-ed4e-417b-999e-49fe4a8dbc9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment