Cloud SQL Proxy in a Kubernetes cluster: What Service-account Permissions are needed?

7/11/2019

I'm following a guide by google (https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/master/Kubernetes.md) to setup a Cloud SQL Proxy in a Kubernetes cluster.

The documentation says:

You need a service-account token with "Project Editor" privileges

I'm confused because my app (Composer) running on Kubernetes, and the Cloud SQL database I'm trying to connect to live in different projects. Do I only need "Project Editor" privileges to both projects? I don't think our system admin will want to give my project editor privileges to the project that contains the SQL database I want to connect to.

I ask because I'm running into connection issues:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
googleapi: Error 403: The client is not authorized to make this request., notAuthorized

I'm assuming the connection error is due to the service-account token I used, because I followed everything else in the guide rigorously

I've tested with two service account tokens.

  1. Service account with Project editor for the project that Kubernetes lives in.

  2. Service account our systems admin sent me with privileges to connect to the cloud SQL database.

-- Srule
cloud-sql-proxy
google-cloud-composer
google-cloud-sql
google-kubernetes-engine

1 Answer

7/12/2019

To use the Cloud SQL proxy, your credentials should have one of the following IAM roles:

  • Cloud SQL Client (preferred)
  • Cloud SQL Editor
  • Cloud SQL Admin

Or, you can manually assign the following IAM permissions:

  • cloudsql.instances.connect
  • cloudsql.instances.get

Your credentials need to have these permissions for both accounts - the account with the database and the account with the credentials you are using.

-- kurtisvg
Source: StackOverflow