Cloud SQL Proxy: 403 notAuthorized error

Skip to first unread message

BC Holmes

Sep 29, 2017, 4:54:48 PM9/29/17
to Google Cloud SQL discuss
I seem to be having a problem with configuring the Cloud SQL Proxy. I'm getting a 403 notAuthorized error when I try to connect with my Cloud SQL Postgres database instance.

I've read several of the previous messages on this group discussing the topic (usually about MySQL). The part that's most perplexing is that I've successfully configured this before (in a Google Cloud instance that I set up), and as I'm trying to reproduce the same set up in a different Google Cloud instance (my client's configuration) I can't seem to get past this error. Here's the error message:

2017/09/29 16:23:11 couldn't connect to "[database-instance-id]": ensure that the account has access to "[database-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [database-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

I've double-checked the database instance id a few times, and have copy-and-pasted it directly from the "Instance Details" page on the Cloud SQL console to try to prevent typos.

Here's the set up:

1. I've tried two configurations: the first is an instance of the Cloud SQL Proxy running in a GKE environment, and the second is a Cloud SQL Proxy instance running locally via the command line of my Mac. I get the same errors in both instances.

2. I've set up my SQL service account and granted it the SQL Client role. (I've also tried other roles combinations that have come up in other posts, such as Cloud SQL Viewer, and sometimes all of the Cloud SQL roles).

3. When I run the Cloud SQL Proxy locally, the error happens at the moment I try a first database connection (using psql). Here's the command I run locally:

./cloud_sql_proxy --dir='./cloudsql' -instances=[database-instance-id]=tcp:5433 -credential_file=/path/to/credentials.json

(The real command has no square brackets in it -- I'm just putting those in to represent a placeholder. Some related group messages have talked about extraneous square brackets. I'm also using 5433 instead of the typical 5432 for my local environment because of port conflicts; my GKE configuration uses 5432).

I feel like the fact that I'm not the Owner of this Cloud project is one of the key differences between my working version and my non-working version. I've been the one to set up the Cloud SQL instance, the database and user, and the SQL service. At one point, *my* id didn't have the Cloud SQL Client role or the Cloud SQL Viewer role, but I've had those subsequently added to my id.

Any ideas?

BCing you

Ankush Agarwal

Sep 29, 2017, 5:19:47 PM9/29/17
Can you try creating a new service account, using a name which has not been used before?

3. Enter the "Service account name". Ensure that you've not used this name before. Select "Cloud SQL > Cloud SQL Client" as the Role.
4. Click on "Furnish a new private key" and choose "JSON" as the Key Type
5. Don't check "Enable G Suite Domain-wide Delegation"
6. Click "Create"
7. You should now have a downloaded "credentials.json" file
8. Try running the proxy with this .json file in the -credential_file flag

You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
For more options, visit

Ankush Agarwal

Software Engineer, Cloud SQL
There are 10 types of people in this world - those who understand binary and those who don't

Thibault Bronchain

Oct 1, 2017, 1:13:40 PM10/1/17
to Google Cloud SQL discuss
I'm having the same issue. I tried the method listed bellow (and followed this procedure at first but can't get it working, always 403.

BC Holmes

Oct 2, 2017, 10:45:37 AM10/2/17
to Google Cloud SQL discuss
Thanks for your suggestion, but sadly, I get the same response.

I made sure that my service name is not one that I'd used before.

I still feel like there's something wonky about the fact that it's a project that I have access to, but not one that I own.

BCing you

Kamran (Google Cloud Support)

Oct 2, 2017, 10:59:30 PM10/2/17
to Google Cloud SQL discuss
BC Holmes,

Are you using INSTANCE_CONNECTION_NAME or INSTANCE ID?In the command you will need to specify INSTANCE_CONNECTION_NAME which is this format:


If you're connecting to your SQL instance from Linux machine, can you try Unix Socket method and let know if it works?

BC Holmes

Oct 3, 2017, 10:30:34 AM10/3/17
to Google Cloud SQL discuss
Re: name. I'm using the 3-part format with colons.

Re: sockets. I'm connecting from a Mac -- I'll read over the link to see if it's something I can try out.


BC Holmes

Oct 4, 2017, 4:14:21 PM10/4/17
to Google Cloud SQL discuss
As I'm using a Mac, I'm not sure if the Unix socket method is expected to work, but here's what I tried. I removed the "=tcp:5433" from my command, leaving me with this:

./cloud_sql_proxy --dir='./cloudsql' -instances=[project-id]:us-central1:[cloud-sql-instance-id] -credential_file=/path/to/credentials.json

That immediately responded with:

using credential file for authentication; email=[my-service-name]@[project-id]
2017/10/04 15:51:10 errors parsing config:

    googleapi: Error 403: The client is not authorized to make this request., notAuthorized

I've also tried starting over from first principles. I asked my client to create a brand new project. I have the editor role for the project, plus Cloud SQL Admin, Cloud SQL Editor, Cloud SQL Viewer, Cloud SQL Client, plus some permissions for assigning roles to the service account I subsequently set up: Service Account Admin, Service Account Key Admin, Service Account Token Creator, Service Account User.

I've created a new database instance. And a new Service Account which I've give the Cloud SQL Client role. I get a new credentials file. Then I used that credentials file in my standard cloud-sql-proxy command, with the new database instance connection name (for this attempt, I went back to the tcp:5433 option).

In my first attempt to connect via psql, the cloud sql proxy spit out the error message:

2017/10/04 15:35:18 using credential file for authentication; email=[my-service-id]@[project-id]
2017/10/04 15:35:18 Listening on for [project-id]:us-central1:[cloud-sql-instance-id]
2017/10/04 15:35:18 Ready for new connections
2017/10/04 15:35:35 New connection for "[project-id]:us-central1:[cloud-sql-instance-id]"
2017/10/04 15:35:35 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id] ": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id] " (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id] : googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project [123456789] before or it is disabled. Enable it by visiting[123456789] then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured

This, of course, makes sense to me because I forgot to enable Cloud SQL Admin API. So I enable the SQL API. After waiting a few minutes, I tried to connect again, and I'm back to the same 403 error message as before:

2017/10/04 15:44:23 couldn't connect to "[project-id]:us-central1:[cloud-sql-instance-id]": ensure that the account has access to "[project-id]:us-central1:[cloud-sql-instance-id]" (and make sure there's no typo in that name). Error during createEphemeral for [project-id]:us-central1:[cloud-sql-instance-id]: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

My gut tells me that there's some other config step -- probably something that would have happened automatically if this had been a project under my own cloud account, as I've had this configuration work when dealing with my projects under my Google cloud environment -- but I feel like I have no ability to debug the problem at this point.


Lin Shi

Oct 5, 2017, 8:52:14 PM10/5/17
to Google Cloud SQL discuss
Thank you so much for this, this is very helpful!!!

So the problem here is only "OWNER" and "Project IAM Admin" (under "Resource Manager") have the privilege to grant a role to a service account.  So none of the roles your client granted you can bind a role (Cloud SQL client) to the service account you created.  However there's a bug in the UI that even when you created the service account and specified the Cloud SQL Client role at the same time, it didn't give you any error when if failed to bind to role (due to lack of permission).

The solution here is to grant you the "Project IAM Admin" (under "Resource Manager") role here if don't want the owner role.  One thing to check is in the project, go to "IAM & admin" - "IAM" to check if the IAM rule is there for the service account with the correct role.

Hope this would help and we will update the doc soon.

BC Holmes

Oct 6, 2017, 11:22:35 AM10/6/17
to Google Cloud SQL discuss
Thanks, Lin Shi,

This seems to have solved my problem.

I've had Project IAM Admin role added to my account and I've created a new service account. I'm now able to connect to Cloud SQL via the proxy running at the command line. I'll now go back and do some testing with my GKE configuration.

Thanks also for the pointer to checking the IAM page for the right roles. I confess that that's not a page that I've found terrible intuitive, but I'll invest a bit of time in understanding it better.

Reply all
Reply to author
0 new messages