This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't connect to Cloud SQL instance from local proxy because of service account

Posted on 02-14-2023 04:30 AM
alexandre-br
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I'm new to GCP and currently trying to connect a local project to a Cloud SQL instance, but the proxy tells me that the certificate is invalid. The credentials file was initially generated from a newly created service account that had the Client SQL role; it didn't worked, so I created a new one that has the Cloud SQL Admin role, but the error won't go away. That's what the proxy tells me:

cloudsql-proxy | 2023/02/14 12:06:15 couldn't connect to "<my-project>:southamerica-east1:<my-instance>": x509: certificate is valid for 16-c57c61b2-a060-46c4-b781-ca7113f5f75b.southamerica-east1.sql.goog, not <my-project>:<my-instance>

Now, the description seems clear to me: the current account doesn't have access to the instance; but I couldn't find a way to grant said access. What am I missing?

Solved Solved
1 5 5,386
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
BenTheMeta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Upgrading the gcr.io/cloudsql-docker/gce-proxy from 1.11 to 1.33.2 fixed my issue.

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
darsh_shukla
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,

If you are using a service account to authenticate the Cloud SQL follow these steps

If you want to connect with SSL/TLS certificates follow these steps. Remember you have to patch your instance.

gcloud sql instances patch <instance-name> --require-ssl

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
BenTheMeta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am experiencing the same issue. Except I have had several PostgreSQL DBs running for years and I recently created a new one. When deploying the new proxy, it attempts to connect to the new DB and I get the above error. In the proxy connection string, if I change nothing but the DB instance name to an old DB instance, it connects properly. My old DBs nor my new DB do not require SSL.

This means the service account credentials are being applied correctly.

Also, I am able to run the proxy locally and it connects properly.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
BenTheMeta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Upgrading the gcr.io/cloudsql-docker/gce-proxy from 1.11 to 1.33.2 fixed my issue.

Jump to Solution

Posted on --/--/---- --:-- AM
alexandre-br
Bronze 3
Bronze 3
In response to BenTheMeta
Reply posted on --/--/---- --:-- AM

Thanks, @BenTheMeta.

(Replying just now because we chose to use the proxy only in production, which we are deploying now.)

Jump to Solution

Posted on --/--/---- --:-- AM
kenwizz
Bronze 1
Bronze 1
In response to BenTheMeta
Reply posted on --/--/---- --:-- AM

This solved my issue too. After about 2 hrs of turning my pods describe and logs inside out trying to establish why my health checks are not running. Thanks Ben.

Jump to Solution