As I'm using a Mac, I'm not sure if the Unix socket method is expected to work, but here's what I tried. I removed the "=tcp:5433" from my command, leaving me with this:
./cloud_sql_proxy --dir='./cloudsql' -instances=[project-id]:us-central1:[cloud-sql-instance-id] -credential_file=/path/to/credentials.json
That immediately responded with:
using credential file for authentication; email=[my-service-name]@[project-id].
iam.gserviceaccount.com2017/10/04 15:51:10 errors parsing config:
I've also tried starting over from first principles. I asked my client to create a brand new project. I have the editor role for the project, plus Cloud SQL Admin, Cloud SQL Editor, Cloud SQL Viewer, Cloud SQL Client, plus some permissions for assigning roles to the service account I subsequently set up: Service Account Admin, Service Account Key Admin, Service Account Token Creator, Service Account User.
I've created a new database instance. And a new Service Account which I've give the Cloud SQL Client role. I get a new credentials file. Then I used that credentials file in my standard cloud-sql-proxy command, with the new database instance connection name (for this attempt, I went back to the tcp:5433 option).
In my first attempt to connect via psql, the cloud sql proxy spit out the error message:
2017/10/04 15:35:18 using credential file for authentication; email=[my-service-id]@[project-id].
iam.gserviceaccount.com2017/10/04 15:35:18 Listening on
127.0.0.1:5433 for [project-id]:us-central1:[cloud-sql-instance-id]
2017/10/04 15:35:18 Ready for new connections
2017/10/04 15:35:35 New connection for "[project-id]:us-central1:[cloud-sql-instance-id]"
2017/10/04 15:35:35 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id] ": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id] " (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id] : googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project [123456789] before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=[123456789] then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
This, of course, makes sense to me because I forgot to enable Cloud SQL Admin API. So I enable the SQL API. After waiting a few minutes, I tried to connect again, and I'm back to the same 403 error message as before:
2017/10/04 15:44:23 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id]": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
My gut tells me that there's some other config step -- probably something that would have happened automatically if this had been a project under my own cloud account, as I've had this configuration work when dealing with my projects under my Google cloud environment -- but I feel like I have no ability to debug the problem at this point.
BC