Client fails on createEphemeral #37
Comments
|
I thought project IDs only allowed dashes (rather than underscores). Can
you double check that is the ID of your project?
|
|
Good catch! Apparently I was mixing them up depending on the context. Thanks! |
|
Actually, mind if I send in a PR that will do this check? |
|
I'm definitely accepting pull requests.
|
|
I have same problem. I'm sure |
|
@thuandt Is the service account associated with 'CloudSQL.json' added to the project which contains the Cloud SQL instance you want to connect to? Does it have an "editor" level privilege in that project? |
|
@Carrotman42 I have both but it's still return this error. Thanks for your help. |
|
I have the same problem as @thuandt ... |
|
If you could send the name of your cloud sql instance to
cloud-sql@google.com (with a link to this page) I may be able to help out
looking at some internal data.
Also, please paste the log of of the proxy when this issue occurs (taking
out any personally identifiable info like the instance name, ip, etc).
|
|
@Carrotman42 - I sent the info you requested to cloud-sql@google.com. Still no reply. |
|
Apologies, I was off work this weekend. I've replied now, let's continue the discussion over email. |
|
Hi @Carrotman42 and @smichaku , just wondering, did you manage to overcome this? I'm looking at the same error right now. I already tried to re-generate my credentials by using a 'Cloud SQL Admin' Service Account but no cigar :( |
|
@robbertvancaem - The problem for me was that service account related to the credentials file I was using was not added to the project. Once I added it the problem was gone. |
|
I've also been seeing this error over the past several days (running the proxy within Google Kubernetes Engine): What's odd is that it only crops up after the sql proxy instance has been running - successfully - for a while. Most recently, my service account had both After the error began occurring, restarting the proxy didn't change anything. Then I added However, it seems like I wonder if this error could be caused by something independent of the permissions of the service account? |
|
Thanks @ abstrctn. I also had same issue. I am wondering that if we are giving only "Cloud SQL admin" role then it should worked. |
|
After testing with different access rights this is what I found: So far the only access that is working - project-owner. I think I tried project editor and it not working for same reason. Does anyone know what is happened during last weeks, changes? Should I create separate ticket for that? |
|
In IAM, the Service Account related to the project only had access to the Cloud SQL with a role of Editor. It did not yet have access to the actual project where the Service Account was used. A bit confusing, but adding the Service Account as a Project Editor as well resolved all my issues. Thanks for the help guys :-) |
|
Some clarification: 'Cloud SQL Client' is the right role to use for Proxy access. None of the other Cloud SQL roles include connectivity access, you always need Cloud SQL Client role if you plan to connect via the Proxy. |
|
@Laixer @Carrotman42 |
|
@pilwon Can you share the command line you are using to run the proxy (feel free to mask out any instance names, etc) as well as the exact error message you see? |
|
@Laixer Same as the above: $ docker run -it --rm \
-v <local-certificate-file-path>:/etc/ssl/certs/ca-certificates.crt \
-v <credential-file-path>:/credential.json \
-p 127.0.0.1:3306:3306 \
gcr.io/cloudsql-docker/gce-proxy \
/cloud_sql_proxy \
-instances=<project-id>:<region-id>:<sql-instance-id>=tcp:0.0.0.0:3306 \
-credential_file=/credential.json
2017/03/11 19:49:58 using credential file for authentication; email=<service-account-id>@<project-id>.iam.gserviceaccount.com
2017/03/11 19:49:58 Listening on 0.0.0.0:3306 for <project-id>:<region-id>:<sql-instance-id>
2017/03/11 19:49:58 Ready for new connections
2017/03/11 19:50:04 New connection for "<project-id>:<region-id>:<sql-instance-id>"
2017/03/11 19:50:04 couldn't connect to "<project-id>:<region-id>:<sql-instance-id>": ensure that the account has access to "<project-id>:<region-id>:<sql-instance-id>" (and make sure there's no typo in that name). Error during createEphemeral for <project-id>:<region-id>:<sql-instance-id>: googleapi: Error 403: The client is not authorized to make this request., notAuthorized |
|
Really useful chat! It helped me a lot with an issue I was having. |
|
@Laixer Can we reopen this issue until the it is fully resolved? |
|
Just putting my voice out there, I was following this: https://cloud.google.com/sql/docs/mysql/connect-external-app#proxy And was receiving the same error on the recommended role, only worked when I changed to Project Owner role. |
|
I just ran into this as well. On our dev GCP project it works fine. On our production GCP project I have 2 service accounts with both the same roles and everything. One of them works, the other does not (it gives the same errors as in this ticket). So either it has to do with the name or there's some weird race condition going on somewhere? Anyway, I think this issue should be reopened. |
|
We have been unable to reproduce this problem. For anyone that is running into this problem, can you send an email to cloud-sql@google.com referencing this issue. If possible, please include (1) examples where you are running into the problem (2) examples where you are not running into the problem (3) instance names (4) service account names (5) assigned IAM roles (6) proxy logs (7) any other information that you think could help track down this problem |
|
Re-opening the issue as we try to track down the root cause. Please follow the advice in @Laixer's comment above if you run into the issue. |
|
FYI: I sent all details to cloud-sql@google.com |
|
@chees Can you try removing the Cloud SQL Client role from the service account that is not working, click Save, then add it back and click Save and let us know if that works. |
|
Thanks to the cloud-sql@google.com people it's now working for me. The steps that fix it are:
Maybe this can help somebody who still runs into this before the root cause gets fixed. |
|
I can confirm that the steps @chees just mentioned worked for me!! THANK GOD, a day lost but I'm GLAD it finally works. THANKS! ( plz fix so less people will throw themselves out of the window ) |
|
Confirming @chees steps fixed the issue too, glad I found this post as I was stuck on this for a while. This really needs to be fixed asap ! |
|
Hi! after removing a service in App Engine (GAE), my GAE app can't connect to the Cloud SQL instance in the same project anymore. When connecting using Cloud Shell and Cloud SQL proxy, I see the same error as you have mentioned above. The following did not help:
Note that conneting using Please help me to connect through Cloud SQL Proxy and App Engine! Added Cloud SQL error log : |
|
Please file a new issue since it appears to be a different issue (the given
workarounds in this thread didn't work); we can debug there.
|
|
Sorry all that this has yet to be fixed. I have again pinged the team which is culpable for this issue and will escalate as needed. |
|
I setup new env few days ago and I still have same problem with access rights, none of user rights from Cloud SQL Client role not working. Only editor gave proper access to allow create connection to DB. I don't know is it make any difference, but we use Postgres as DB. |
|
I was playing around with kubernetes and cloud sql proxy and faced the same issue. The proxy works fine on one google account (with Cloud SQL client role itself), but it doesn't work on another one ( In the account where it doesn't work, I'm not the owner. I have the service account admin privilege and project editor privilege though). |
|
If a service account doesn't show up under IAM it means it doesn't have any
roles assigned to it yet. You can add it with the Add button at the top of
the IAM screen.
On Jun 16, 2017 20:53, "Mansoor" <notifications@github.com> wrote:
I was playing around with kubernetes and cloud sql proxy and faced the same
issue. The proxy works fine on one google account (with Cloud SQL client
role itself), but it doesn't work on another one ( In the account where it
doesn't work, I'm not the owner. I have the service account admin privilege
and project editor privilege though).
I was trying to follow instructions mentioned by @chees
<https://github.com/chees> but, the service account is not listed under
IAM, it is listed only under service accounts.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#37 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAddoVwBvrO5hIvMUvRF0E-QeiYgIBd8ks5sEs8bgaJpZM4Ig0mU>
.
|
|
@chees Thank you very much. The issue is resolved. Adding the service account under IAM roles fixed it. But that is kind of confusing, because when I created the service account, I assigned the role of "Cloud SQL Client". |
|
So I am having the same issue, but removing the role under IAM and then adding Cloud SQL Client back to it didn't fix anything. I went under IAM > Roles and created a new role that contained cloudsql.* and then assigned that to the service account and it worked. I wish I knew exactly which options I needed to choose to make it a "Client" role instead of adding everything. Due to my lack of sleep due this issue, did I miss something? Or, should have removing the Cloud SQL Client from the service account and then adding it back fix it? |
|
Ok, so I just removed my custom Role and added Cloud SQL Viewer in addition to Cloud SQL Client and now it works. I've stopped cloud_sql_proxy several times and restarted and it starts no problem. Hopefully, this might help someone else out. |
|
If you want to create a custom role, you need cloudsql.instances.connect and cloudsql.instances.get permissions. Those are the two permissions that Cloud SQL client has. |
|
@Laixer Thank you very much. Is there something else that Cloud SQL Viewer has that would make it work? It seems like there is something else in addition to Client (at least in my case). I am just glad adding Viewer fixed the problem and hopefully that helps someone else out. I wish I had the time to fiddle with the custom roles and figure out what Viewer added that made it work. Sadly, I don't think I'll be able to do it within my deadline. Thanks again. |
|
Client role should be sufficient. Did you save between removing & re-adding the Client role? |
|
I am also observing the client fails on CreateEphemeral. I'm new to this platform; just trying to set up the bookshelf tutorial described in cloud.google.com/sdk/docs. I want to set up a Service Account that the SQL proxy may use to connect to the GC SQL Instance. However the Role 'Cloud SQL Client' is not on the drop down list of possible roles. https://cloud.google.com/sql/docs/mysql/connect-admin-proxy#service-account |
|
If you can't see the role in the list, can you double check that the 'SQL' service is enabled in your project by visiting the following URL? |
|
@chees That "11 step process" you posted on Apr 26, 2017 fixed it for me. Thank you so much. I lost like 4 hours on this, taking apart my fucking cluster and putting it back together again over and over. |
|
I've had issues connecting the proxy to CloudSQL. The Client permission turned out to not be enough, as was the Viewer permission. I ended up using Admin, Client, Editor and Viewer and it finally worked. |
|
@chees god damn it you save me man |
|
schweikert, I don't think there is a way for us to fix the issue on the Cloud SQL side... but I'm closing this issue since I'd like to make sure the open issues are cloudsql proxy issues, ideally issues that can be solved with a PR for the proxy. |
|
Ok, I understand. github issues here are about the sql proxy code, and not about operational issues in GCP. I have reported this now here: https://issuetracker.google.com/issues/77939928 |
|
Tow years later, and @chees solution is still relevant ! Thanks a lot! |
|
That Cloud SQL Client role doesn't even have the permission in question. Is it no longer required when using this role? |
and others
I'm getting an odd failure from following these instructions:
https://github.com/GoogleCloudPlatform/cloudsql-proxy#to-use-from-kubernetes
Looking at the code,
createEphemeralis failing, but I'm at a loss as to what is going on with the randomized key that's being created there.The text was updated successfully, but these errors were encountered: