Well, it seems that the API that I was having trouble enabling appears to have already been enabled. At least, if what shows up in the list of enabled APIs on the "APIs & Services Dashboard" as "Google Cloud SQL" is the same as the " Cloud SQL Admin API" mentioned in the quickstart at https://cloud.google.com/sql/docs/mysql/quickstart-proxy-test.
. . . and then, I tried the proxy again, and got:
But then, when I tried to connect to 127.0.0.1:3306, whether from the Sequel Pro or from the default command line MySQL client, using SQL user accounts that are globally usable, I get
-- But while the quickstart mentioned making sure gcloud is installed, and signing on to it, it did NOT say anything about setting application default credentials.
Without doing anything, I tried:
Jamess-Mac-mini:~ jamesl$ ./cloud_sql_proxy -instances=REDACTED=tcp:3306
2018/03/19 13:47:59 google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
I eventually found something about setting the application default, and tried:
Jamess-Mac-mini:~ jamesl$ gcloud auth application-default login
Your browser has been opened to visit:
https://accounts.google.com/REDACTED
Credentials saved to file: [REDACTED]
These credentials will be used by any library that requests
Application Default Credentials.
. . . and then, I tried the proxy again, and got:
Jamess-Mac-mini:~ jamesl$ ./cloud_sql_proxy -instances=REDACTED=tcp:3306
2018/03/19 13:56:30 Listening on 127.0.0.1:3306 for REDACTED
2018/03/19 13:56:30 Ready for new connections
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
I used my own user ID when I did the "gcloud auth application-default login"; do I instead need to set the application default to the SQL server's service account? I see instructions for creating a service account, at https://cloud.google.com/docs/authentication/getting-started but I'm not entirely sure I understand it. With a service account already in existence, do I just skip directly to step 3 of "Creating a service account"? I tried that, and got:
ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/REDACTED.iam.gserviceaccount.com.
Something else I noticed, and don't understand: much of what the docs say about service accounts say that, in fully qualified form, they should be of the form "<name>@<projectname>.iam.gserviceaccount.com"; the already-in-existence service account that came with the SQL instance (which I have systematically redacted above) is in the form "<name>@<random word>-<random word>-<random number>.iam.gserviceaccount.com"
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/68e57396-4dd9-4383-97f8-71c66777c366%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment