Cloud SQL proxy cannot connect to a database using a second service account with same permissions

7/11/2018

After following the tutorial Connecting [Postgres] from Kubernetes Engine, I was able to have my app server connect to my Postgres database thru a Cloud SQL Proxy and a service account that grants the "SQL Client", "SQL Editor" and "SQL Admin" permissions.

But, after following this tutorial a second time (to create a second database, for use from another cluster), and hence creating a second service account with the same permissions, I realised that I could only connect my second Cloud SQL database using my first service account!

Every time I tried to use the second service account (which, again, grants access to the exact same 3 permissions!), I was getting couldn't connect to "project:region:instance" errors...

Context: I know that instance-based permissions are not supported by Cloud SQL yet, but I would like to have dedicated service accounts for each of my 2 databases if possible, and do not understand why a second service account with same permissions does not work.

-- Adrien Joly
cloud-sql-proxy
google-cloud-platform
google-cloud-sql
google-kubernetes-engine
service-accounts

1 Answer

8/22/2018

First of all, you only need Cloud SQL Client role for your cloud sql proxy. Other roles are not required.

Secondly, are you using the app server from the same kubernetes cluster. Are you trying to use kubernetes same secret cloudsql-instance-credentials for both the services accounts.

If yes, thats the problem. You need to either update the cloudsql-instance-credentials secret with the new credentials json for the second service account.

Alternatively, you may keep two secret objects as cloudsql-instance-credentials-service-account-1 and cloudsql-instance-credentials-service-account-2. And, update the config yml to mount the required secret like below,

  - name: cloudsql-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    command: ["/cloud_sql_proxy", "--dir=/cloudsql",
              "-instances=<instance_connection_name>=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-instance-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
  volumes:
    - name: cloudsql-instance-credentials
      secret:
        secretName: cloudsql-instance-credentials-service-account-2
-- Narendra
Source: StackOverflow