I seem to be having a problem with configuring the Cloud SQL Proxy. I'm getting a 403 notAuthorized error when I try to connect with my Cloud SQL Postgres database instance.
I've read several of the previous messages on this group discussing the topic (usually about MySQL). The part that's most perplexing is that I've successfully configured this before (in a Google Cloud instance that I set up), and as I'm trying to reproduce the same set up in a different Google Cloud instance (my client's configuration) I can't seem to get past this error. Here's the error message:
2017/09/29 16:23:11 couldn't connect to "[database-instance-id]": ensure that the account has access to "[database-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [database-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
I've double-checked the database instance id a few times, and have copy-and-pasted it directly from the "Instance Details" page on the Cloud SQL console to try to prevent typos.
Here's the set up:
1. I've tried two configurations: the first is an instance of the Cloud SQL Proxy running in a GKE environment, and the second is a Cloud SQL Proxy instance running locally via the command line of my Mac. I get the same errors in both instances.
2. I've set up my SQL service account and granted it the SQL Client role. (I've also tried other roles combinations that have come up in other posts, such as Cloud SQL Viewer, and sometimes all of the Cloud SQL roles).
3. When I run the Cloud SQL Proxy locally, the error happens at the moment I try a first database connection (using psql). Here's the command I run locally:
./cloud_sql_proxy --dir='./cloudsql' -instances=[database-instance-id]=tcp:5433 -credential_file=/path/to/credentials.json
(The real command has no square brackets in it -- I'm just putting those in to represent a placeholder. Some related group messages have talked about extraneous square brackets. I'm also using 5433 instead of the typical 5432 for my local environment because of port conflicts; my GKE configuration uses 5432).
I feel like the fact that I'm not the Owner of this Cloud project is one of the key differences between my working version and my non-working version. I've been the one to set up the Cloud SQL instance, the database and user, and the SQL service. At one point, *my* id didn't have the Cloud SQL Client role or the Cloud SQL Viewer role, but I've had those subsequently added to my id.
Any ideas?
BCing you
-- I've read several of the previous messages on this group discussing the topic (usually about MySQL). The part that's most perplexing is that I've successfully configured this before (in a Google Cloud instance that I set up), and as I'm trying to reproduce the same set up in a different Google Cloud instance (my client's configuration) I can't seem to get past this error. Here's the error message:
2017/09/29 16:23:11 couldn't connect to "[database-instance-id]": ensure that the account has access to "[database-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [database-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
I've double-checked the database instance id a few times, and have copy-and-pasted it directly from the "Instance Details" page on the Cloud SQL console to try to prevent typos.
Here's the set up:
1. I've tried two configurations: the first is an instance of the Cloud SQL Proxy running in a GKE environment, and the second is a Cloud SQL Proxy instance running locally via the command line of my Mac. I get the same errors in both instances.
2. I've set up my SQL service account and granted it the SQL Client role. (I've also tried other roles combinations that have come up in other posts, such as Cloud SQL Viewer, and sometimes all of the Cloud SQL roles).
3. When I run the Cloud SQL Proxy locally, the error happens at the moment I try a first database connection (using psql). Here's the command I run locally:
./cloud_sql_proxy --dir='./cloudsql' -instances=[database-instance-id]=tcp:5433 -credential_file=/path/to/credentials.json
(The real command has no square brackets in it -- I'm just putting those in to represent a placeholder. Some related group messages have talked about extraneous square brackets. I'm also using 5433 instead of the typical 5432 for my local environment because of port conflicts; my GKE configuration uses 5432).
I feel like the fact that I'm not the Owner of this Cloud project is one of the key differences between my working version and my non-working version. I've been the one to set up the Cloud SQL instance, the database and user, and the SQL service. At one point, *my* id didn't have the Cloud SQL Client role or the Cloud SQL Viewer role, but I've had those subsequently added to my id.
Any ideas?
BCing you
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/016cf66e-58da-4dba-ae19-b0e638138b86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment