GKE Using multiple clusters with one CloudSQL instance

12/11/2018

I have a cluster for staging that's been up for over a year using CloudSQL, and now I'd like to bring up another GKE cluster (same google project) pointed at the same database for testing. However, I'm seeing errors when trying to use the credentials.json from the old cluster in the new one.

googleapi: Error 403: The client is not authorized to make this request., notAuthorized" 

I've poked around IAM to find a way to open the permissions to the new cluster but haven't found a way even though I see a service account with the "Cloud SQL Client" role.

What's the right way to share credentials or open permissions (or do I need to create a new service account for this)?

Our template deployment yaml looks like:

  - name: postgres-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    imagePullPolicy: Always
    command: ["/cloud_sql_proxy",
              "--dir=/cloudsql",
              "-instances=@@PROJECT@@:us-central1:@@DBINST@@=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-oauth-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
      - name: ssl-certs
        mountPath: /etc/ssl/certs
      - name: cloudsql
        mountPath: /cloudsql
-- Charles Thayer
google-cloud-platform
google-cloud-sql
google-kubernetes-engine
kubernetes

2 Answers

1/7/2019

As you are receiving the Error 403 from some Google API it appears a IAM permission error. To resolve the issue please make sure 'Cloud SQL Client' role is assigned to your service account. To check what permissions are added to your service account go to the Cloud Project IAM page (Left Menu > IAM & Admin > IAM) and look for the row with the service account that is having the issue. The service account should say "Cloud SQL Client" on the Role column.

In case if you find "Cloud SQL Client" Role is not added to the service account, please try to follow the instructions outlined in this document. If the service account is not already in the members list, it will not have any Role assigned to it. Click Add and enter the email address of the service account. If the service account is already on the members list, it has existing Roles. Click the drop-down list under Role(s) for the service account that you want to edit or you can add "Cloud SQL Client" Role as an additional Role to the service account. You need to select the "Cloud SQL Client" Role from the drop-down list under “Cloud SQL”.

In case if you see the "Cloud SQL Client" Role already exists, click on edit to open the drop-down list. After that click on delete and save it. Please make sure the service account is removed from the IAM page. Click the ADD button on top of the Cloud Project IAM page. Enter the service account email address and select the "Cloud SQL Client" role from the drop-down list under “Cloud SQL”. After that click the SAVE button and the service account should appear again under in the list. With this we are removing and then adding again the permissions for the service account.

You can also try by adding a new service account as outlined in this document and by selecting the "Cloud SQL Client" role from the drop-down list under “Cloud SQL”. Please note that you need “Service Account Admin” role or the “Editor” primitive role to do the operations.

If still does not resolve the issue please make sure the “Cloud SQL Instance” name is correct. You can copy and paste the "Instance connection name" from the Google Cloud Console page of the Cloud SQL Instance as outlined in this StackOverflow issue.

Alternatively by updating the secret to use the right key you can resolve the issue. You can make more than one key for a service account.

-- Mohammad I
Source: StackOverflow

1/19/2019

GKE currently supports private IP address connectivity. You can connect to cloud sql cluster if you are in same in region and cluster has ip aliasing enabled.

-- newoxo
Source: StackOverflow