That worked beautifully David.--Muchas gracias
On Friday, June 23, 2017 at 9:46:19 AM UTC-7, David Newgas wrote:Hi,If you run the command that way on GCE it will use the service account for your instance. By default this will be PROJECT_NUM...@developer.gserviceaccount.com , although when you create the instance you can specify other service accounts. So one possible issue is that this account does not have the required IAM permission to access your Cloud SQL instance. When you use the default credentials on GCE, it is also restricted to certain APIs, by default GCS read-only, writing to cloud logging/monitoring, and Google Cloud Endpoints. So a second possible issue is that your GCE instance doesn't have sufficient scopes set up. This is what is being referenced where the docs say "If you created your Compute Engine instance with either Full API access or Cloud SQL API enabled, you can skip this step; you do not need to provide a certificate file when you start the proxy."You have two options going forward:
- Use the JSON service account credentials you created. You can pass them to cloud_sql_proxy with the -credential_file parameter or in the GOOGLE_APPLICATION_CREDENTIALS environmental variable.
- Use the GCE default service account, but make sure a) the instance's service account has either Editor or Cloud SQL Client role on your project and b) the instance has access scope to the Cloud SQL API enabled.
Our instructions are a bit confusing as you point out... they advise creating a service account (option 1) but then give the command line for option 2. I'll try and clean that up.DavidOn Thu, Jun 22, 2017 at 6:47 PM, Alex Ryan <alexande...@gmail.com> wrote:--I have a 2nd gen google cloud sql instance running in project A which I would like to connect to from a google compute engine instance in project B via the cloudsql-proxy.The instructions for doing so are here:I believe that I have followed these instructions precisely and yet I still get this error:2017/06/23 01:14:41 couldn't connect to "INSTANCE-CONNECTION-NAME": ensure that the account has access to "INSTANCE-CONNECTION-NAME" (and make sure there's no typo in that name). Error during createEphemeral for INSTANCE-CONNECTION-NAME: googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project 000000000 before or it is disabled. Enable it by visiting https://console.developers.goo
gle.com/apis/api/sqladmin.goog then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfiguredleapis.com/overview?project= 000000000
there is no typo in the INSTANCE-CONNECTION-NAME
I HAVE enabled the Cloud SQL API (It no longer appears to be named "Cloud SQL Administrator API")
I HAVE waited for many minutes for the action to propagate to our systems and retry.
One thing I did find very strange about the instructions is that I was requested to create service account explicitly for the cloudsql-proxy and to generate a JSON key for it, but there were no instructions on actually using either of these.
I did ensure that the service account of the compute engine (in project B) was listing in project A with the credential of Cloud SQL > Cloud SQL Client. (Note: It was already in there with a role of Owner)
The command to start the proxy was simply this:
./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME >=tcp:3306
What do I need to do to make this work?
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com .
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/ .34ed1f62-4224-4890-875f- a686d194eec3%40googlegroups. com
For more options, visit https://groups.google.com/d/optout .
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com .
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql- .discuss/b6608e3f-ef2e-4ca2- b118-e2d5c6eac341% 40googlegroups.com
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAJZK_bYT5g4_ARKS_PQt5g_%2BG--B5LJZWcPH4iWXb8pJ0cC2JQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment