Getting notAuthorized error with cloud_sql_proxy locally

时间:2016-04-04 18:46:38

标签: google-app-engine google-cloud-platform google-cloud-sql

I'm trying to setup a connection locally for 2nd generation cloud sql instance.

Call for the proxy is

./cloud_sql_proxy -dir=/cloudsql -instances=status-1268:us-central1:status-dev=tcp:3306 & mysql -u status_stg --host 127.0.0.1

I am a bit unclear on how to set up correctly the service accounts from the API section, so I tried with both of the defaults, App engine default service account and Compute engine default service account. I also created a new one service account. For each one of them I assigned the service account ID to be Editor and Owner from the manage permissions section. Perhaps there is another way to enable Cloud SQL Admin API for these accounts?

Output from proxy when my service tries to talk to DB:

./cloud_sql_proxy -dir=/cloudsql -instances=status-1268:us-central1:status-   dev=tcp:3306 & mysql -u status_stg --host 127.0.0.1
ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1' (61)
2016/04/04 11:26:58 Open socket for "status-1268:us-central1:status-dev" at     "127.0.0.1:3306"
2016/04/04 11:26:58 Socket prefix: /cloudsql
2016/04/04 11:27:10 Got a connection for "status-1268:us-central1:status-dev"
2016/04/04 11:27:11 couldn't connect to "status-1268:us-central1:status-dev": googleapi: Error 403: The client is not authorized to make this request., notAuthorized
2016/04/04 11:29:08 Got a connection for "status-1268:us-central1:status-dev"
2016/04/04 11:29:08 couldn't connect to "status-1268:us-central1:status-dev": googleapi: Error 403: The client is not authorized to make this request., notAuthorized

Thoughts on what to look for? I think I am missing something basic here configuring the service accounts.

(Overall, for my project I am running a node.js express app and hoping to connect it to 2nd gend cloud sql DB instance without having to expose it with 0.0.0.0 as I currently have working)

Thanks

6 个答案:

答案 0 :(得分:4)

TL; DR :如果您的错误日志包含Error during createEphemeral..,请继续阅读。

适用于我的解决方案来自Github Cloud-SQL-Proxy Issue Tracker

  

您可能在后端遇到了一个错误   当存在具有相同名称的旧服务帐户时触发。   请按照以下步骤解决您的问题:

     
      
  1. 转到Cloud Project IAM页面(左侧菜单> IAM& Admin> IAM)
    2.   
  2. 查找有问题的机器人帐户的行。
    3.   
  3. 应该在角色列上说“Cloud SQL Client”。
    4.   
  4. 点击它打开下拉列表
    5.   
  5. 单击选中的“Cloud SQL Client”角色取消选中它。
    6.   
  6. 点击上面的蓝色保存按钮。
    7.   
  7. 确认已从IAM页面中删除服务帐户。
    8.   
  8. 点击同一页面上方的添加按钮。
    9.   
  9. 输入服务帐户电子邮件地址并选择Cloud SQL Client角色
    10.   
  10. 点击添加
    11.   
  11. 服务帐户应该再次出现在列表中。
    12.   

Chees的积分,但积分是我的:P。希望它能解决你的问题。

答案 1 :(得分:3)

在我的情况下,问题是服务帐户没有正确的角色。你至少应该把它设置为编辑。

答案 2 :(得分:2)

请仔细检查连接字符串。听起来你的凭据是有序的,所以你可能在实例名称中有错误。

我建议复制&粘贴实例的云控制台页面中的“实例连接名称”:

instance details

答案 3 :(得分:2)

出现此类错误的原因有很多。

以下是解决方案:

1)从sql实例'overview'选项卡中复制实例名称。 enter image description here

2)您可能无法访问云sql客户端

here更详细。

答案 4 :(得分:2)

就我而言,我犯了两个错误:

  1. 确保为云sql实例使用正确的项目。

    $gcloud config set project my-project

  2. 使用正确 connectionName。如果你像我一样关注谷歌文档,你可能会在connectionName中放置方括号。删除它们。

    3. Myname-MBP:django setoelkahfi$ ./cloud_sql_proxy -instances="[blitzkrig-9f158:us-central1:polls-instance]"=tcp:3306 2018/06/01 04:55:48 Listening on 127.0.0.1:3306 for [blitzkrig-9f158-9f158:us-central1:polls-instance] 2018/06/01 04:55:48 Ready for new connections 2018/06/01 04:56:48 New connection for "[blitzkrig-9f158-9f158:us-central1:polls-instance]" 2018/06/01 04:56:50 couldn't connect to "[blitzkrig-9f158-9f158:us-central1:olls-instance]": ensure that the account has access to "[blitzkrig-9f158-9f158:us-central1:polls-instance]" (and make sure there's no typo in that name). Error during createEphemeral for [blitzkrig-9f158-9f158:us-central1:polls-instance]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

答案 5 :(得分:1)

另一种说法是,如果您使用-dir标志,则意味着您将通过unix-socket连接,对于MySQL,这是一个额外的连接参数,并且=tcp:3306在连接时会变得多余尽管127.0.0.1无效,因为它是TCP,并且正在等待套接字上的连接。

相关问题
最新问题