问题
This seems like a question that's been answered before, but I've no luck with any other answers, so I'm opening a new question.
I'm using a python script and create/configure a database and connect to it using the cloud_sql_proxy. The script runs beautifully if I don't provide a service account credential for cloud_sql_proxy, but if I do then I get this:
2017/08/18 15:34:12 using credential file for authentication; email=test-acc@project.iam.gserviceaccount.com
2017/08/18 15:34:12 Listening on 127.0.0.1:3306 for project:zone:instance
2017/08/18 15:34:12 Ready for new connections
2017/08/18 15:34:12 New connection for "project:zone:instance"
2017/08/18 15:34:13 couldn't connect to "project:zone:instance":
ensure that the account has access to "project:zone:instance"
(and make sure there's no typo in that name).
Error during createEphemeral for project:zone:instance:
googleapi: Error 403: The client is not authorized to make this request., notAuthorizedIt's not an INSTANCE_CONNECTION_NAME issue because it works fine when I authenticate without a service account:
2017/08/18 15:38:32 Listening on 127.0.0.1:3306 for project:zone:instance
2017/08/18 15:38:32 Ready for new connections
2017/08/18 15:38:32 New connection for "project:zone:instance"
Connection established.I've tried many different kinds of service account roles: SQLclient + SQLAdmin, SQLclient + SQLAdmin + ProjectEditor, etc etc.
Any ideas? I'm stumped.
回答1:
I found the problem. I originally didn't have admin access to IAM for this project. After getting admin privileges here, I was able to add the service account to the IAM page. This solved this issue, though I'm still getting an interesting 400 Error complaining that my JWT Signature is invalid.
UPDATE:
I found that my credential file secret was a second credential file that I made for the same service account (You can make more than one key for a service account). After updating the secret to use the right key I was able to get my deployment to work.
来源:https://stackoverflow.com/questions/45766105/how-do-i-connect-to-a-cloud-sql-instance-using-a-service-account