As I'm using a Mac, I'm not sure if the Unix socket method is expected to work, but here's what I tried. I removed the "=tcp:5433" from my command, leaving me with this:
./cloud_sql_proxy --dir='./cloudsql' -instances=[project-id]:us-central1:[cloud-sql-instance-id] -credential_file=/path/to/credentials.json
That immediately responded with:
using credential file for authentication; email=[my-service-name]@[project-id].iam.gserviceaccount.com
2017/10/04 15:51:10 errors parsing config:
googleapi: Error 403: The client is not authorized to make this request., notAuthorized
I've also tried starting over from first principles. I asked my client to create a brand new project. I have the editor role for the project, plus Cloud SQL Admin, Cloud SQL Editor, Cloud SQL Viewer, Cloud SQL Client, plus some permissions for assigning roles to the service account I subsequently set up: Service Account Admin, Service Account Key Admin, Service Account Token Creator, Service Account User.
I've created a new database instance. And a new Service Account which I've give the Cloud SQL Client role. I get a new credentials file. Then I used that credentials file in my standard cloud-sql-proxy command, with the new database instance connection name (for this attempt, I went back to the tcp:5433 option).
In my first attempt to connect via psql, the cloud sql proxy spit out the error message:
2017/10/04 15:35:18 using credential file for authentication; email=[my-service-id]@[project-id].iam.gserviceaccount.com
2017/10/04 15:35:18 Listening on 127.0.0.1:5433 for [project-id]:us-central1:[cloud-sql-instance-id]
2017/10/04 15:35:18 Ready for new connections
2017/10/04 15:35:35 New connection for "[project-id]:us-central1:[cloud-sql-instance-id]"
2017/10/04 15:35:35 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id] ": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id] " (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id] : googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project [123456789] before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=[123456789] then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
This, of course, makes sense to me because I forgot to enable Cloud SQL Admin API. So I enable the SQL API. After waiting a few minutes, I tried to connect again, and I'm back to the same 403 error message as before:
2017/10/04 15:44:23 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id]": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
My gut tells me that there's some other config step -- probably something that would have happened automatically if this had been a project under my own cloud account, as I've had this configuration work when dealing with my projects under my Google cloud environment -- but I feel like I have no ability to debug the problem at this point.
BC
On Tuesday, 3 October 2017 10:30:34 UTC-4, BC Holmes wrote:
-- ./cloud_sql_proxy --dir='./cloudsql' -instances=[project-id]:us-central1:[cloud-sql-instance-id] -credential_file=/path/to/credentials.json
That immediately responded with:
using credential file for authentication; email=[my-service-name]@[project-id].iam.gserviceaccount.com
2017/10/04 15:51:10 errors parsing config:
googleapi: Error 403: The client is not authorized to make this request., notAuthorized
I've also tried starting over from first principles. I asked my client to create a brand new project. I have the editor role for the project, plus Cloud SQL Admin, Cloud SQL Editor, Cloud SQL Viewer, Cloud SQL Client, plus some permissions for assigning roles to the service account I subsequently set up: Service Account Admin, Service Account Key Admin, Service Account Token Creator, Service Account User.
I've created a new database instance. And a new Service Account which I've give the Cloud SQL Client role. I get a new credentials file. Then I used that credentials file in my standard cloud-sql-proxy command, with the new database instance connection name (for this attempt, I went back to the tcp:5433 option).
In my first attempt to connect via psql, the cloud sql proxy spit out the error message:
2017/10/04 15:35:18 using credential file for authentication; email=[my-service-id]@[project-id].iam.gserviceaccount.com
2017/10/04 15:35:18 Listening on 127.0.0.1:5433 for [project-id]:us-central1:[cloud-sql-instance-id]
2017/10/04 15:35:18 Ready for new connections
2017/10/04 15:35:35 New connection for "[project-id]:us-central1:[cloud-sql-instance-id]"
2017/10/04 15:35:35 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id] ": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id] " (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id] : googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project [123456789] before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=[123456789] then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
This, of course, makes sense to me because I forgot to enable Cloud SQL Admin API. So I enable the SQL API. After waiting a few minutes, I tried to connect again, and I'm back to the same 403 error message as before:
2017/10/04 15:44:23 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id]": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
My gut tells me that there's some other config step -- probably something that would have happened automatically if this had been a project under my own cloud account, as I've had this configuration work when dealing with my projects under my Google cloud environment -- but I feel like I have no ability to debug the problem at this point.
BC
On Tuesday, 3 October 2017 10:30:34 UTC-4, BC Holmes wrote:
Re: name. I'm using the 3-part format with colons.
Re: sockets. I'm connecting from a Mac -- I'll read over the link to see if it's something I can try out.
Thanks,
BC
On Monday, 2 October 2017 22:59:30 UTC-4, Kamran (Google Cloud Support) wrote:BC Holmes,Are you using INSTANCE_CONNECTION_NAME or INSTANCE ID?In the command you will need to specify INSTANCE_CONNECTION_NAME which is this format:<Your-Project-ID>:<Your-Instance-Name>:<Your-SQL- Instance-ID> If you're connecting to your SQL instance from Linux machine, can you try Unix Socket method and let know if it works?
On Monday, October 2, 2017 at 10:45:37 AM UTC-4, BC Holmes wrote:Thanks for your suggestion, but sadly, I get the same response.
I made sure that my service name is not one that I'd used before.
I still feel like there's something wonky about the fact that it's a project that I have access to, but not one that I own.
BCing you
On Friday, 29 September 2017 17:19:47 UTC-4, Ankush Agarwal wrote:Can you try creating a new service account, using a name which has not been used before?1. Go to https://console.cloud.google.com/iam-admin/serviceaccounts/ <project-id>project?project= 2. Click on "CREATE SERVICE ACCOUNT"3. Enter the "Service account name". Ensure that you've not used this name before. Select "Cloud SQL > Cloud SQL Client" as the Role.4. Click on "Furnish a new private key" and choose "JSON" as the Key Type5. Don't check "Enable G Suite Domain-wide Delegation"6. Click "Create"7. You should now have a downloaded "credentials.json" file8. Try running the proxy with this .json file in the -credential_file flagOn Fri, Sep 29, 2017 at 1:50 PM, BC Holmes <g...@bcholmes.org> wrote:I seem to be having a problem with configuring the Cloud SQL Proxy. I'm getting a 403 notAuthorized error when I try to connect with my Cloud SQL Postgres database instance.
I've read several of the previous messages on this group discussing the topic (usually about MySQL). The part that's most perplexing is that I've successfully configured this before (in a Google Cloud instance that I set up), and as I'm trying to reproduce the same set up in a different Google Cloud instance (my client's configuration) I can't seem to get past this error. Here's the error message:
2017/09/29 16:23:11 couldn't connect to "[database-instance-id]": ensure that the account has access to "[database-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [database-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
I've double-checked the database instance id a few times, and have copy-and-pasted it directly from the "Instance Details" page on the Cloud SQL console to try to prevent typos.
Here's the set up:
1. I've tried two configurations: the first is an instance of the Cloud SQL Proxy running in a GKE environment, and the second is a Cloud SQL Proxy instance running locally via the command line of my Mac. I get the same errors in both instances.
2. I've set up my SQL service account and granted it the SQL Client role. (I've also tried other roles combinations that have come up in other posts, such as Cloud SQL Viewer, and sometimes all of the Cloud SQL roles).
3. When I run the Cloud SQL Proxy locally, the error happens at the moment I try a first database connection (using psql). Here's the command I run locally:
./cloud_sql_proxy --dir='./cloudsql' -instances=[database-instance-id]=tcp:5433 -credential_file=/path/to/ credentials.json
(The real command has no square brackets in it -- I'm just putting those in to represent a placeholder. Some related group messages have talked about extraneous square brackets. I'm also using 5433 instead of the typical 5432 for my local environment because of port conflicts; my GKE configuration uses 5432).
I feel like the fact that I'm not the Owner of this Cloud project is one of the key differences between my working version and my non-working version. I've been the one to set up the Cloud SQL instance, the database and user, and the SQL service. At one point, *my* id didn't have the Cloud SQL Client role or the Cloud SQL Viewer role, but I've had those subsequently added to my id.
Any ideas?
BCing you--Ankush AgarwalSoftware Engineer, Cloud SQLThere are 10 types of people in this world - those who understand binary and those who don't
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/bb938568-0bc5-4acc-abaf-ee162ad22c14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment