stackoom
  简体   繁体   中英

Cannot connect to Google cloud SQL from App Engine Standard Environment

 原文  2022-04-14 15:14:26       google-app-engine/ google-cloud-platform/ google-cloud-sql/ google-cloud-iam

Question

I have recently switch my code to another project. I use the Public IP method addressed in official document but to no avail.

In the log explorer, I have seen a lot of warning entries state that:

CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details:

Post https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_ID>/instances/asia-east1~<CLOUD_SQL_INSTANCE>:generateEphemeralCert?alt=json&prettyPrint=false : rpc error: code = PermissionDenied desc = IAM permission denied for service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com.

Things I have confirmed and checked:

  • New cloud SQL and app engine are on the same project
  • Cloud SQL Admin API is enabled
  • App engine region is asia-east1 (same as the cloud SQL region)
  • App engine service account and GAE cloud deploy accounts have Cloud SQL Admin role
  • Default service account [PROJECT_ID]@appspot.gserviceaccount.com has the following roles:
    • Cloud SQL Admin , Editor , Service Account Token Creator , Storage Object Admin
  • Created service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com has the following roles:
    • App Engine Service Admin , Cloud Build Service Account , Cloud SQL Admin , Cloud SQL Client , Serverless VPC Access User , Service Account User

According to the documents, Cloud SQL Client role is enough. But the logs keep telling me that the service account cannot access the cloud sql admin API.

What am I doing wrong? Or which additional IAM roles should I grant to the service accounts?

1 answers

solution1
 1  2022-04-15 03:42:17

I have tried the similar steps mentioned on this github thread comment . Steps I have done:

  • remove ALL roles for both default app engine service account [PROJECT_ID]@appspot.gserviceaccount.com and gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com
  • Add the same roles back
  • Rebuild app engine

Now everything is usual

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Django on Google App Engine connection to Cloud SQL, cannot connect Cannot Connect to Cloud SQL from App Engine Standard using a VPC Static Ip Address with Egress Setting: all-traffic Google Cloud Platform App Engine Standard environment with 4GB RAM How to set environment variables using Google Cloud Build or other method in Google App Engine Standard Environment? How do change from Google App Engine from Flexible Environment to Standard environment ENOENT when connecting to Google Cloud SQL from App Engine Cannot connect to Postgres Database from Strapi on Google App Engine I used Google Cloud Platform App Engine and Google Cloud SQL, Sequelize, but Error: connect ETIMEDOUT error Can't connect to Google Cloud SQL from Google Compute Engine with Cloud SQL Proxy GCP App Engine: Migrate services from the flexible environment to the standard environment
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM