googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project

[Alex Ryan]

I have a 2nd gen google cloud sql instance running in project A which I would like to connect to from a google compute engine instance in project B via the cloudsql-proxy.

The instructions for doing so are here:

https://cloud.google.com/sql/docs/mysql/connect-compute-engine#gce-connect-proxy

I believe that I have followed these instructions precisely and yet I still get this error:

2017/06/23 01:14:41 couldn't connect to "INSTANCE-CONNECTION-NAME": ensure that the account has access to "INSTANCE-CONNECTION-NAME" (and make sure there's no typo in that name). Error during createEphemeral for INSTANCE-CONNECTION-NAME: googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project 000000000 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=000000000 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured

there is no typo in the INSTANCE-CONNECTION-NAME

I HAVE enabled the Cloud SQL API (It no longer appears to be named "Cloud SQL Administrator API")

I HAVE waited for many minutes for the action to propagate to our systems and retry.

One thing I did find very strange about the instructions is that I was requested to create service account explicitly for the cloudsql-proxy and to generate a JSON key for it, but there were no instructions on actually using either of these.

I did ensure that the service account of the compute engine (in project B) was listing in project A with the credential of Cloud SQL > Cloud SQL Client. (Note: It was already in there with a role of Owner)

The command to start the proxy was simply this:

./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306

What do I need to do to make this work?

[David Newgas]

Hi,

If you run the command that way on GCE it will use the service account for your instance. By default this will be PROJECT_NUM...@developer.gserviceaccount.com, although when you create the instance you can specify other service accounts. So one possible issue is that this account does not have the required IAM permission to access your Cloud SQL instance. When you use the default credentials on GCE, it is also restricted to certain APIs, by default GCS read-only, writing to cloud logging/monitoring, and Google Cloud Endpoints.  So a second possible issue is that your GCE instance doesn't have sufficient scopes set up. This is what is being referenced where the docs say "If you created your Compute Engine instance with either Full API access or Cloud SQL API enabled, you can skip this step; you do not need to provide a certificate file when you start the proxy."

You have two options going forward:

1. Use the JSON service account credentials you created. You can pass them to cloud_sql_proxy with the -credential_file parameter or  in the GOOGLE_APPLICATION_CREDENTIALS environmental variable.
2. Use the GCE default service account, but make sure a) the instance's service account has either Editor or Cloud SQL Client role on your project and b) the instance has access scope to the Cloud SQL API enabled.

Our instructions are a bit confusing as you point out... they advise creating a service account (option 1) but then give the command line for option 2. I'll try and clean that up.

David

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/34ed1f62-4224-4890-875f-a686d194eec3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alex Ryan]

That worked beautifully David.

Muchas gracias

[David Newgas]

We have updated the docs too!

That worked beautifully David.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscr...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/34ed1f62-4224-4890-875f-a686d194eec3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/b6608e3f-ef2e-4ca2-b118-e2d5c6eac341%40googlegroups.com.

[Ishwara Bhat A]

Hi,

I am setting up ecommerce site (wordpress, woocommerce) which needs to have secure https on the browser.  I have GCE VM with letsencrypt SSL. Then I am using SQL proxy to connect to cloud SQL. There is no SSL between VM and cloud SQL.

But on address bar, I get only "info https". If we use cloud SQL proxy, is it automatically considered secure? or I am expected to have SSL on top of it?

When I allow SSL traffic only and use the mysql client certificate and mysql client key.pem, the connection still does not work. Everything is within same project and zone.  cloud sql proxy initializes correctly. But the application (wordpress level) SSL does not work.

Please confirm if we should assume traffic on cloud proxy automatically secure and does not need certificate? If so, why would browser complain? Thanks.

That worked beautifully David.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/34ed1f62-4224-4890-875f-a686d194eec3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.