A bit scary. Was able to connect to my instance using google cloud sql proxy after deleting my service role account

[wob...@yblew.com]

A bit scary. Was able to connect to my instance using google cloud sql proxy after deleting my service role account

1. Created a service account under editor role

2. Was able to access my server using:

/usr/local/bin/cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-instance=tcp:3306 -credential_file=/prod.json &

3. Deleted my service account

4. Was able to access my instance after deletion of service account using:

/usr/local/bin/cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-instance=tcp:3306 -credential_file=/prod.json &

[wob...@yblew.com]

after an hour, now i'm getting

Post https://www.googleapis.com/sql/v1beta4/projects/hidden/instances/hidden/createEphemeral?alt=json: oauth2: cannot fetch token: 401 Unauthorized

Response: {

  "error" : "invalid_client",

  "error_description" : "The OAuth client was not found."

}

Does it take a while for google cloud sql proxy to sync up with changes to permissions?

[paynen]

Hey wobeng@,

This is expected behaviour. The Service Account's credentials are used to get an access token via OAuth2. If that token isn't revoked, it will continue to work for the default 3600 seconds. I hope this helps clear up the behaviour you saw!

Cheers,

Nick
Cloud Platform Community Support

[paynen]

...and you can read about this more here: https://developers.google.com/identity/protocols/OAuth2?csw=1#installed

[Kevin Malachowski]

Another note: after removing an account's access, existing connections to the database will continue to work (even after the hour expiration you noticed). To break old connections (to combat this in the case a service account is compromised) you can restart your database or reset the SSL certificates on your database instance via our API.