I am trying to connect to cloud sql from k8s instance with a side-car proxy running at the same pod.
According to Google guidelines i should reuse Service Account with JSON private key to let pod to access given SQL instance.
With newly created SQL instance i seem automatically get Service Account which looks like: [hash]@speckle-umbrella-pg-8.iam.gserviceaccount.com
With this account, how can i generate JSON private key? I was trying to create SSL certificate in "Connections" tab, but there is no option to create JSON ones.
As second option i was trying to reuse existing IAM service account - "Compute Engine default service account", having generated JSON key for it, but it did not work.
The way i set it up is:
kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=[PROXY_KEY_FILE_PATH]I attache container to the pod:
- name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "-instances=project-name:us-central1:sql-instance-name=tcp:5432", "-credential_file=/secrets/cloudsql/credentials.json"] securityContext: runAsUser: 2 # non-root user allowPrivilegeEscalation: false volumeMounts: - name: cloudsql-instance-credentials mountPath: /secrets/cloudsql readOnly: true
Whts the correct way? Goole docs does not seem to contain complete information.
1 - In the first option, you may create a JSON private key by following the guidelines mentioned in this article. Once the key has been generated, you can store it in a directory to create the SSL certificate.
2- In the second option, we need to know what is the issue you’ve experienced exactly. Please share the error message. The issue here is that the Compute Engine default service account may or may not have the necessary permissions to use other Cloud Platform APIs. This depends on how your project is configured.