Re: [google-cloud-sql-discuss] Re: proxy cloud_sql_proxy suddenly gives Error 403: The client is not authorized to make this request., notAuthorized

The issue in the end had nothing to do with bucket access for the SQL instance's service account, the issue was that the import task-launching service account needed to have cloud.sql.admin role; apparently editor, viewer, and client are inadequate to run an import job. 

Now, I encounter a new issue: gcloud sql import csv for a Mysql database ignores the csv file's NULL values (mysqlimport requires empty/missing fields contain a '\N' value, otherwise the import overrides the default NULL value setting and inserts a zero value or empty string), which BQ extract csv does not insert, so I have to programmatically insert \N into our BQ extract csv files before attempting to upload them.

So, to clarify, I've found that cloud sql import csv does not correctly interpret \N nor missing values as meaning "INSERT NULL", it inserts the literal \N value or 0 values. mysqlimport utility, with some finagling, seems to recognize the \N values as meaning NULL, but it's finicky and easily misinterprets.

On Friday, January 24, 2020 at 5:57:47 AM UTC+9, Jad El Houssami wrote:

Hello Christopher, 

I can understand how inconvenient it can be to run into permission issues when trying to set up an ETL job. From my understanding, you have a service account being used to launch the import task and it already has all the Cloud SQL roles. Once the import task is launched, you have given the SQL instance's service account permission to access the GCS bucket.

From the Cloud SQL documentation, it explains: "To import data from Cloud Storage, the instance's service account needs to have the Bucket Reader ACL permission set in the project." In other words, the service account needs to have the 'roles/storage.legacyBucketReader' role which is equivalent to the 'Bucket Reader' ACL permission. Are you able to confirm if you have already granted that role to your Cloud SQL instance's service account?

Additionally, if you prefer not to give the import task service account the role of project-wide editor, it was previously suggested to try granting it the "roles/cloudsql.client" role instead, have you already given that a try?

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/8424c1d8-001b-4654-b6d6-7f2af4a33a85%40googlegroups.com.