Re: [google-cloud-sql-discuss] Cloud SQL Proxy: 403 notAuthorized error

Thanks, Lin Shi,

This seems to have solved my problem.

I've had Project IAM Admin role added to my account and I've created a new service account. I'm now able to connect to Cloud SQL via the proxy running at the command line. I'll now go back and do some testing with my GKE configuration.

Thanks also for the pointer to checking the IAM page for the right roles. I confess that that's not a page that I've found terrible intuitive, but I'll invest a bit of time in understanding it better.

BC

On Thursday, 5 October 2017 20:52:14 UTC-4, Lin Shi wrote:

Thank you so much for this, this is very helpful!!!

So the problem here is only "OWNER" and "Project IAM Admin" (under "Resource Manager") have the privilege to grant a role to a service account.  So none of the roles your client granted you can bind a role (Cloud SQL client) to the service account you created.  However there's a bug in the UI that even when you created the service account and specified the Cloud SQL Client role at the same time, it didn't give you any error when if failed to bind to role (due to lack of permission).

The solution here is to grant you the "Project IAM Admin" (under "Resource Manager") role here if don't want the owner role.  One thing to check is in the project, go to "IAM & admin" - "IAM" to check if the IAM rule is there for the service account with the correct role.

Hope this would help and we will update the doc soon.

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/4c07714a-33d2-49a4-8e3e-59fd6d1da0c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.