I wrote a script 3 months ago to connect to mysql in GCP and it has been working solid for 3 months until this morning from a cafe I always go to for the last 3 weeks. I received this error
ERROR: (gcloud.sql.connect) Could not allowlist client IP. Server did not reply with the allowlisted IP.
Has there been any permission changes or anything? I just lost access to my production database 😞 😞 though it is a startup but it still is frustrating. Any way to figure this out and get connected again?
If it helps, this is the full script that has been working for months
#!/bin/bash
gcloud auth login
gcloud config set project myproject-xxxxx
export PGSSLMODE=verify-ca
export PGSSLROOTCERT=server-ca.pem
export PGSSLCERT=client-cert.pem
export PGSSLKEY=client-key.pem
#This cmd is the same with other options too -> gcloud sql generate-login-token
gcloud auth application-default print-access-token > token.txt
gcloud sql connect spamfilter --database=spamfilter --user=spamfiltersvc --access-token-file=token.txt
gcloud sql uses psql under the covers so the variables above were for psql if I recall not gcloud sql command.
EDIT: I got home and tried here and it is not working here either 😞 😞 . something changed on the google end but I have no idea how to fix this and connect to production database now :(.
MORE INFO: Added my home's ip (which rotates I think 😞 ) to authorized and use psql directly and that works but the whitelisting piece completely broke 😞 .
Solved! Go to Solution.
😥Well, seems like they fixed it. it is working again!!!!!!!! I changed nothing in the scripts at all!!!! ouch, that sucked as it was down for a few days.
The error "ERROR: (gcloud.sql.connect) Could not allowlist client IP. Server did not reply with the allowlisted IP" means Google Cloud SQL is failing to add your current IP address to its authorized networks temporarily. Here are some possible reasons:
Troubleshooting Steps:
Check Your Current IP Address:
Manage Authorized Networks:
Verify gcloud
and Script:
gcloud components update
to ensure you have the latest version.Direct psql
Test (If still failing):
psql
using the same database credentials but providing your cafe's IP explicitly. This isolates the gcloud sql connect
command.Examine Logs:
On number 3, yes I forgot to mention, I ran that update which unfortunately did not fix it.
I ran number #1 and #2 as a WORKAROUND with #4 which does work but is not ideal since my home ip changes and I have to keep removing and re-adding(very annoying).
#5 is interesting. trying now...I see 2 links
View all operations and
View postgress error logs
Neither of these yield any errors.
I have been using this script for months to connect and only recently in last 7 days it stopped working(I think 2-3 days ago). Are there any logs on google side? This is so weird that it just broke and I have no inisights into why? A new permission is required for the user perhaps that was not needed before? I am not sure what changed?
It seems like there might have been a change in the IP allowlist configuration on Google Cloud SQL's side. To fix it:
I am confused. the script has not changed in 6 months. I had to use a 'whats my ip' website and add to authorized networks which is not ideal as I need to keep adding/removing it now. For months, I have not had to update any 'allowlist' until now. All locations, I am getting the same error result that I did not get before. (ie. all routers in all the cafes I work from and at home).
😥Well, seems like they fixed it. it is working again!!!!!!!! I changed nothing in the scripts at all!!!! ouch, that sucked as it was down for a few days.
Your home's IP address, which has been whitelisted, may change. This is a common occurrence with home Internet connections. You need to update the IP address in the list of allowed IP addresses in GCP settings.
Does your service account have the necessary permissions to access your database in GCP? This may include allowing connections from certain IP addresses.
The command accounts for changes in ip address!!! They somehow fixed it(they must have broken it, realized and fixed it). It was working for months and then was out for a few weeks. AS A WORKAROUND, I had to start adding ip addresses in the allow list. Now that it is working again, I deleted ALL ip addresses from allow list.
The above command is better as it whitelists your current ip for 5 minutes, connects and then you are in and it removes it from the whitelist keeping you very secure.