I have Cloud SQL and Instance in same project of Google Cloud.
I want to connect to Mysql (from Google Cloud SQL) from Instance using command line.
I am connecting using command:
gcloud sql connect cloud-sql-name --user=username
its giving:
ERROR: (gcloud.sql.connect) There was no instance found or you are not authorized to connect to it.
How do I make connection.
You probably missed the authorization of your instance's IP to be able to connect to the Cloud SQL database. This is done for e.g. through the Cloud Console in the Cloud SQL Instances page.
To see the step-by-step guide for connecting from Compute Engine instance to Cloud SQL (with the mysql client) check this docs page.
Are you trying to connect to your Cloud SQL instance from your Compute Engine VM instance?
If this is the case, I can suggest to first grant your service account (the Compute Engine default service account or a new one) the corresponding IAM role/permission for Cloud SQL [1].
Then, authenticate/activate [2] your service account within your VM instance command line (it is recommended to generate a JSON key File instead of a P12 key File for your service account):
~$ gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE
To generate a key File for your service account, you can go to your Products and Services menu > IAM & admin > Service accounts. Click on the three-dotted button at the right of the corresponding service account and select "Create key".
Your key File should be stored/uploaded to your VM instance, so that it can use it to activate the service account.
It is possible that you would also need to grant your VM instance access for Cloud SQL within its Cloud API access scopes panel. Go to your Products and Services menu > Compute Engine > VM instances. Select your VM instance and edit it.
Be aware that you will need to stop your VM instance before editing Cloud API access scopes. Go to "Access scopes" > "Set access for each API". Enable and Save.
You will also have to enable the Cloud SQL Admin API. Go to your Products and Services menu > API and services. Search for SQL Admin and Enable it (wait a few minutes)
Start the VM instance and try your Cloud SQL tests (re-activate your service account if necessary).
Your Cloud SQL instance for MySQL creates the "root" user. Just make sure to use this as the username, or any other you have created (if any).
Take into account that since you would be connecting from a Compute Engine VM instance, it is possible that yo will be asked for a MySQL Client.
[1] https://cloud.google.com/sql/docs/mysql/project-access-control
[2] https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account
Related
I have the following command to deploy a google cloud function.
I use the same command to deploy a google cloud function of gen1 ( except the flag --gen2 ) and everything works fine. In the project that has the database, i have set the role of Cloud Sql Client with the service account that is set in the command.
But when i deploy a google cloud function of gen2, i can't connect to the database of the other project. Given that gen2 cloud functions use Cloud Run i have also checked the service-account that Cloud Run uses, and it matches the service account that has the Cloud Sql Client in the project that has the database.
I get this error
SQLSTATE[HY000] [2002] No such file or directory
gcloud functions deploy $CLOUD_FUNCTION_NAME-staging-gen2
--gen2
--source=./src
--runtime=$CLOUD_FUNCTION_PHP_VERSION
--trigger-http
--entry-point=$CLOUD_FUNCTION_ENTRY_POINT
--allow-unauthenticated
--region=$GCP_ZONE
--project=$PROJECT_ID
--env-vars-file .env.yml
--min-instances=$MINIMUM_NUMBER_OF_INSTANCES
--service-account=*******#appspot.gserviceaccount.com
${VPC_CONNECTOR:+--vpc-connector projects/$PROJECT_ID/locations/$GCP_ZONE/connectors/$VPC_CONNECTOR}
I have also tried to not set the --service-account when i deploy and let it use the default. Then i added the default service account to the project which has the database, in the IAM section with the role of Cloud Sql Client but it still does not work.
I use unix_socket to connect to the database, because the database is hosted in another project.
"mysql:dbname=${dbname};port=${port};unix_socket=/cloudsql/${instanceConnectionName}"
Where instanceConnectionName is project_name:europe-west4:database_name
According to https://cloud.google.com/sql/docs/mysql/connect-functions, you have to add the connection to the cloud run service that is automatically deployed with the gen 2 cloud function. This is the case for other database types as well. Scroll to "If you're using Cloud Functions (2nd gen) and not Cloud Functions (1st gen)"
I have created the IAM user in instance.
While create Cloud IAM user its showing below error message
Required
After you create a user account with Cloud IAM authentication, it will have no database privileges, so make sure permissions are granted as needed.
How to access the database from IAM user. And what permissions are required?
I'm going to go out on a limb and assume you're talking about a Cloud SQL instance since the problem you're discussing mentions user accounts and Cloud IAM Authentication which is mentioned by Cloud SQL when creating user accounts.
To access a Cloud SQL you need two things:
Cloud SQL Client or another Cloud SQL Role that allows instance connection
Cloud SQL Instance User Credentials (May need to create a Cloud SQL user before you have these, and potentially grant specific permissions on your databases)
The final step is to allow your connection in to the Cloud SQL Instance, there's 2 major ways to do so: Use the Cloud SQL Auth Proxy, or adding your IP to the Cloud SQL Instance's Authorized Networks. * If your Cloud SQL Instance requires SSL/TLS connections you'll also require SSL Certs from your instance on top of authorized networks. The Cloud SQL Auth Proxy is inherently an SSL/TLS connection.
NOTE: Actual access to your Database is not granted via IAM roles. The IAM roles are merely to manage who can attempt to connect to your Cloud SQL instance and management of your Cloud SQL Instance. The Cloud SQL Instance User Credentials provide you with actual access to your Cloud SQL instance databases.
After having both of the requirements needed for a connection you'll need to decide on how to connect to your Cloud SQL instance. There's a variety of connection options, you'll have to decide on whichever method best fits your current use case.
EDIT: Added step 3, utilizing Cloud SQL Auth Proxy or using authorized networks
Although I've gave Owner role to that specific service, I can't use the permissions from my instances that I connect with SSH from my local.
Also can't upload my files to Storage bucket which I've created in cloud platform.
Here is the screenshots of the problem:
The problem might be caused by the access token not having the appropriate permission scopes to conduct the required activity. To make sure you're using the auth scope of this service account appropriately, I recommend doing the following:
Run the command in the Google documentation inside the VM to
create a new key for the service account. This will create a .json
file inside the current directory containing the private
authentication key for the service account.
Run the command in the Google documentation to activate the
service account.
Run the command: $gcloud auth list to check if this worked.
In the output you should see an asterisk before the service
account’s name, indicating that this is the service account you are
currently using.
Now refer to the Google documentation and run the $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Google Cloud Compute VMs have a setting for Access Scopes. This feature can limit the permissions that a service account has when attached to a virtual machine.
Go to the Google Cloud Console GUI, select your VM, stop the VM and then edit Acess Scopes to grant the permissions you require.
Access scopes
Service account "abcdefc-compute#developer.gserviceaccount.com" does not exist.
I am trying to create a kubernetes cluster but GCP gives me the error above.
I checked for the account name in service account but could not find it, rather I have
'ayushaccount#abcdef.iam.gserviceaccount.com'.
I tried to create another service account with this email "abcdefc-compute#developer.gserviceaccount.com" but it does not allow me to create.
I am new to GCP and I do not know how to solve this problem. All I am looking for to create a kubernetes cluster in GCP.
Looks like you are missing the default service account for your GCP project.
You have two options:
(re)create the default service account
when creating your GKE cluster, under NODE POOLS, go to default-pool->Security and for Service account, select one the one which exists.
If you want to (re)create the default service account, you can disable/enable the Google Compute Engine API via the console or run gcloud services enable compute.googleapis.com from Cloud Shell or from the command line on your workstation.
I'm trying to connect a GCE instance to a Cloud SQL instance (2nd gen) with Cloud SQL Proxy. When i ssh to the GCE instance and
sudo ./cloud_sql_proxy -dir=/cloudsql
I get
2016/07/13 18:59:28 Using gcloud's active project: xxxx-0000
2016/07/13 18:59:29 Error listing instances in xxxx-0000:
googleapi: Error 403: Access Not Configured.
Cloud SQL Administration API has not been used in project 000000000000
before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/sqladmin/overview?project=000000000000
then retry.
If you enabled this API recently, wait a few minutes for the action to
propagate to our systems and retry., accessNotConfigured
2016/07/13 18:59:29 no Cloud SQL Instances found in these projects: [xxxx-0000]
I have followed the documentations at
https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy and
https://cloud.google.com/sql/docs/sql-proxy
Both instances are within the same project and Cloud SQL API is enabled on the GCE instance (plus the default ones.) By my understanding, the default GCE service account should be able to authenticate the proxy.
Using cloud_sql_proxy with -instances seems to work but errors with accessNotConfigured too while trying to connect.
As per the error message, you need make sure that the "Cloud SQL Admin" API is enabled by visiting the provided link.
There's also a GUI way to connect your Compute Engine instance if you're using a 2nd gen GCloud SQL instance. You first get the external IP of your compute engine and include it in the Authorizations tab of your GCloud SQL dashboard. Here's a quick video
Enabling Cloud SQL Admin API will solve your problem: