Getting notAuthorized error with cloud_sql_proxy locally

google-app-engine google-cloud-platform google-cloud-sql
georges picture georges · Apr 4, 2016 · Viewed 9.3k times · Source

I'm trying to setup a connection locally for 2nd generation cloud sql instance.

Call for the proxy is

./cloud_sql_proxy -dir=/cloudsql -instances=status-1268:us-central1:status-dev=tcp:3306 & mysql -u status_stg --host 127.0.0.1

I am a bit unclear on how to set up correctly the service accounts from the API section, so I tried with both of the defaults, App engine default service account and Compute engine default service account. I also created a new one service account. For each one of them I assigned the service account ID to be Editor and Owner from the manage permissions section. Perhaps there is another way to enable Cloud SQL Admin API for these accounts?

Output from proxy when my service tries to talk to DB:

./cloud_sql_proxy -dir=/cloudsql -instances=status-1268:us-central1:status-   dev=tcp:3306 & mysql -u status_stg --host 127.0.0.1
ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1' (61)
2016/04/04 11:26:58 Open socket for "status-1268:us-central1:status-dev" at     "127.0.0.1:3306"
2016/04/04 11:26:58 Socket prefix: /cloudsql
2016/04/04 11:27:10 Got a connection for "status-1268:us-central1:status-dev"
2016/04/04 11:27:11 couldn't connect to "status-1268:us-central1:status-dev": googleapi: Error 403: The client is not authorized to make this request., notAuthorized
2016/04/04 11:29:08 Got a connection for "status-1268:us-central1:status-dev"
2016/04/04 11:29:08 couldn't connect to "status-1268:us-central1:status-dev": googleapi: Error 403: The client is not authorized to make this request., notAuthorized

Thoughts on what to look for? I think I am missing something basic here configuring the service accounts.

(Overall, for my project I am running a node.js express app and hoping to connect it to 2nd gend cloud sql DB instance without having to expose it with 0.0.0.0 as I currently have working)

Thanks

Answer

Spectral picture Spectral · May 1, 2018

TL;DR: If your error log contains Error during createEphemeral.., please read on.

Solution that works for me is from Github Cloud-SQL-Proxy Issue Tracker.

It seems that you may have encountered a bug in backend that is triggered when there is an old service account with the same name. Follow the steps below to solve your issue:

  1. Go to the Cloud Project IAM page (Left Menu > IAM & Admin > IAM)
  2. Look for the row with the robot account that is having the issue.
  3. It should say "Cloud SQL Client" on the role column.
  4. Click on it to open the dropdown
  5. Click on the 'Cloud SQL Client' role that is checked to uncheck it.
  6. Click the blue save button above.
  7. Verify that the service account is removed from the IAM page.
  8. Click the Add button above in the same page.
  9. Enter the service account email address and select the Cloud SQL Client role
  10. Click Add
  11. The service account should appear again in the the list.

Credits to Chees, but points are mine :P. Hope it solves your issue.

Related questions

What is the difference between Google App Engine and Google Compute Engine?

I was wondering what the difference between App Engine & Compute Engine are. Can anyone explain the difference to me?

Read More
Get root password for Google Cloud Engine VM

I just finished installing cPanel in a CentOS VM in Google Cloud Engine and cPanel said the default username is root and the default password is the server's root password. 2016-01-26 12:02:52 958 ( INFO): 3. Enter the word root in the Username …

Read More
How to use Google App Engine with my own naked domain (not subdomain)?

After hours of reading about and experimenting with DNS records I can access my Google App Engine app via these URLs: myappid.appspot.com www.myappid.myowndomain.com What does not work: myowndomain.com www.myowndomain.com I want to …

Read More