Running dialPassword from a local Go unit test to a 2nd gen. MySQL server. Not a lot different from the example provided in you package. My instance is white-listing all IPv4 connections right now. I have the right username and password. Dies after 3 minutes hang time. Exit status 2, no log.

Any way on local dev to conditionally check from my application if gcloud_sql_proxy active?
I'm on Mac OS X El Capitan, running Wordpress and deploying to GAE flex php environment.
My use case is scripting a conditional check in wp-config.php so I can set different database connection parameters if Wordpress is using the Cloud SQL instance or local MySQL.
But I can't find anything different between when gcloud_sql_proxy is running and when it's not for php to check against.
Maybe the unix socket?

I am trying to build cloudproxy on OpenBSD 5.9 amd64.

On Ubuntu, "go get github.com/GoogleCloudPlatform/cloudsql-proxy/cmd/cloud_sql_proxy" succeeds with go 1.63, but it fails on OpenBSD as:

go/src/bazil.org/fuse/error_std.go:27 undefined: errNoXattr
go/src/bazil.org/fuse/fuse.go:1345 undefined: attr
go/src/bazil.org/fuse/fuse_kernel.go:404 undefined: attr

I used go-1.5 (package) and go-1.6 (from source).
Is there any way to build without fuse support, as I do not need fuse on OpenBSD ?

I'd like to run the cloudsql-proxy container as a DaemonSet instead of a sidecar in my pods, because I have multiple (different) pods on a node, which all need to connect to a Cloud SQL instance. So instead of:

volumes:
- emptyDir:
  name: cloudsql-sockets

I use:

volumes:
- hostPath:
    path: /cloudsql
  name: cloudsql-sockets

So the other pods can just mount the hostPath /cloudsql/ (read-only) to load the UNIX sockets.

However, when I try to start the cloudsql-proxy container, it gives me this error:

Error syncing pod, skipping: failed to "StartContainer" for "cloudsql-proxy" with RunContainerError: "runContainer: Error response from daemon: mkdir /cloudsql: read-only file system"

According to the Kubernetes docs, when using hostPath, only root can write to it. So containers which want to write to the mounted hostPath should also be using user root. Is this not the case for cloudsql-proxy container?

One solution would be using TCP sockets, but I prefer UNIX sockets.

Now that there's a cloud sql for postgres it would be handy if the cloudsql-proxy supported it too

The current error message is:
POST "https://www.googleapis.com/sql/v1beta4/projects/project/instances/instance/createEphemeral": 403 Forbidden; Body="{\n "error": {\n "errors": [\n {\n "domain": "global",\n "reason": "insufficientPermissions",\n "message": "Insufficient Permission"\n }\n ],\n "code": 403,\n "message": "Insufficient Permission"\n }\n}\n"; read error:

If reason is "insufficientPermissions", we should provide a nice error message about the required scopes.
I don't believe "insufficientPermissions" shows up in any other scenarios other than missing the scopes.

We are receiving intermittent reports that the Cloud SQL Proxy is receiving errors which look similar to this:

couldn't connect to "$INSTANCE": Post https://www.googleapis.com/sql/v1beta4/projects/$PROJECT/$NAME/createEphemeral?alt=json: stream error: stream ID 1; PROTOCOL_ERROR

If you are encountering this problem, please send the following information to [email protected]:

1. Cloud SQL Instance name and project name
2. What version of the proxy you are using (pass --version to have it printed out)
3. Restart the Cloud SQL Proxy, setting an environment variable GODEBUG=http2debug=2 (as per Go HTTP docs). When the PROTOCOL_ERROR occurs again, there should be extra debug logs. Please strip out secret data such as bearer tokens, etc and include this in your email

In addition, we have heard reports that updating to the newest version (1.09) fixes this problem. We'd especially like to hear from anyone running this version that is still affected.

Strangely enough the same code works when running the PHP script directly.

The proxy sees a request for the socket, but the MySQL PHP driver does not appear to follow the symlink in this case.

The official docs recommend the "sidecar pattern" for deploying to Google Container Engine. It's painstaking to follow the instructions currently, having to hand wire secrets up and carefully splice lines of code together from the sample YAML.

It'll be nice to have an official google/cloudsql-proxy Helm chart.

Install with a single helm install google/cloudsql-proxy -f values.yaml command.

In addition, I would like to suggest instructions for a standalone pod/service hosting cloud_sql_proxy that listens on tcp:0.0.0.0:3306, also installed using a Helm chart. Yes, it's less secure than listening on localhost, but for those who have secured their cluster properly, decoupling Cloud SQL proxy from the application pod greatly simplifies deployment.

According to https://cloud.google.com/container-registry/docs/support/deprecation-notices, b.gcr.io will be deprecated shortly. Can you please start publishing b.gcr.io/cloudsql-docker to a different registry?

c.f. kubernetes/test-infra#1670

Hi, I'm wondering if it's possible to add an option to keep cloudsql-proxy from exiting on receiving a SIGTERM.

I'm running cloudsql-proxy on Kubernetes in a pod alongside a web app. When Kubernetes deletes a pod, it sends a SIGTERM to both cloudsql-proxy and my web app and then sends a SIGKILL 30 seconds later. Upon receiving the SIGTERM, my web app performs a graceful shutdown by draining the requests in flight, but cloudsql-proxy shuts down immediately. This means that the requests being drained fail if they need any more access to the database.

It'd be great if I could configure cloudsql-proxy to stay alive after receiving a SIGTERM so my web app can drain requests properly. Eventually, cloudsql-proxy can exit upon receiving a SIGKILL.

I just updated from MySQL to PostgresSQL. With MySQL all was fine, but now After establishing connection to proxy, from my machine, proxy close all connections from my connection pool .

2017-03-25T00:01:43.528146150Z 2017/03/25 00:01:43 using credential file for authentication; [email protected] 2017-03-25T00:01:43.528372912Z 2017/03/25 00:01:43 Listening on 0.0.0.0:5432 for id:id:db-id 2017-03-25T00:01:43.533379753Z 2017/03/25 00:01:43 Ready for new connections 2017-03-25T00:01:50.846499658Z 2017/03/25 00:01:50 New connection for " id:id:db-id" 2017-03-25T00:01:51.677064579Z 2017/03/25 00:01:51 New connection for " id:id:db-id" 2017-03-25T00:01:51.958285168Z 2017/03/25 00:01:51 New connection for " id:id:db-id" 2017-03-25T00:02:23.882565648Z 2017/03/25 00:02:23 Client closed local connection on 10.53.1.53:5432 2017-03-25T00:02:23.882597137Z 2017/03/25 00:02:23 Client closed local connection on 10.53.1.53:5432 2017-03-25T00:02:23.882601223Z 2017/03/25 00:02:23 Client closed local connection on 10.53.1.53:5432

Does anyone know what can cause this problem. Connection looks like working, because my orm initialise all tables, but then all connection suddenly dropped.

Hi,

I created a GKE Cluster and followed the Kubernetes instructions:

Now I'm getting the following error (XXX:XXX is my Project and Instance Name):

Open socket for "XXX:XXX" at "/cloudsql/XXX:XXX"
Socket prefix: /cloudsql
Got a connection for "XXX:XXX"
couldn't connect to "XXX:XXX": Post https://www.googleapis.com/sql/v1beta4/projects/XXX/instances/XXX/createEphemeral?alt=json: oauth2: cannot fetch token: Post https://accounts.google.com/o/oauth2/token: dial tcp: i/o timeout

Any idea where the timeout comes from?

Hello,

I am trying to start a docker container using the -fuse switch as follows:
docker run -it -v $(pwd)/cred.json:/secret/cred.json -v /cloudsql -v /etc/ssl/certs b.gcr.io/cloudsql-docker/gce-proxy /cloud_sql_proxy -dir=/cloudsql -fuse -credential_file=/secret/cred.json
And I get the following error:
2016/07/11 16:24:48 Mounting /cloudsql... 2016/07/11 16:24:48 Could not start fuse directory at "/cloudsql": cannot mount "/cloudsql": fusermount: exec: "fusermount": executable file not found in $PATH

Could be missing dependencies in the docker image?
Thanks in advance.

When using the proxy with PHP (and no persistent connections) the chattiness of the proxy logs is overwhelming. Since I am running the proxy on Container Engine, those logs are being shipped to Cloud Logging and the amount of "new connection" and "connection closed" messages is significant.

It would be nice to disable logging of new and closed connections.

I am simply using the sample configuration in the readme:

stephen@test-asyncjobs-001:/cloudsql$ sudo cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:sql-inst=tcp:0.0.0.0:3306
2016/07/22 11:46:11 listenInstance: "my-project:us-central1:sql-inst=tcp:0.0.0.0:3306"
2016/07/22 11:46:11 listen tcp: too many colons in address 127.0.0.1:0.0.0.0:3306

The address doesn't seem to be parsed correctly.

In my cloud_sql_proxy output I see fairly regular (every hour or so) messages like this one:

cloud_sql_proxy[2112]: 2017/05/05 21:38:42 Reading data from xxx:xxx had error: read tcp xxx.xxx.xxx.xxx:xxxxx->xxx.xxx.xxx.xxx:xxxx: read: connection timed out

These seem to match up with errors like this one in my Python code:

OperationalError: server closed the connection unexpectedly
	This probably means the server terminated abnormally
	before or while processing the request.

I have two similar GCE VMs in same region but different availability zones. Only one of them log these errors.

Are timeouts like this one expected? Any tips on troubleshooting them or working around them?

In 1.06 release (https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases/tag/1.06),

(snip)
The precompiled binaries can be found at the standard locations:

• https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64
  (snip)

But downloaded binary is 1.05, not 1.06.

$ curl -LO https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10.2M  100 10.2M    0     0  9664k      0  0:00:01  0:00:01 --:--:-- 9667k
$ sha256sum cloud_sql_proxy.linux.amd64
9c5eab456cebef14905f3f42d2ba59746fcc1e99b2db378b1b634fb77ed67b64  cloud_sql_proxy.linux.amd64
$ chmod +x cloud_sql_proxy.linux.amd64
$ ./cloud_sql_proxy.linux.amd64 --version
Cloud SQL Proxy: version 1.05; sha 0f69d99588991aba0879df55f92562f7e79d7ca1 built Mon May  2 17:57:05 UTC 2016

Where can I download 1.06 precompiled binaries?

Connecting to a Google Cloud SQL instance via tcp_3306 is not counting towards any API quotas. Connecting to a Google Cloud SQL instance via the cloudsql-proxy however IS counting towards the Google Cloud SQL API Quotas. Specifically, there is a limit of 10k queries per day and a limit of 100 queries per 100 seconds per user. Queries in this case refer to API queries, not SQL queries.

An API query is not just consumed for creating a connection, but also for other interactions, depending on ones configuration; e.g. getting a list of instances when you do not have configured fixed instances.

We are currently learning this the hard way, by having our GCE hosted application being down because of an exceeded API limit. I am very disappointed that this is hitting us completely unexpected.

On the one hand the cloudsql-proxy is absolutely necessary when using autoscaling GCE instance groups (you cannot determine your GCE instance's IP addresses when machines are booted to meet a raising demand and thus cannot configure "Authorized networks" on the SQL instance. Or open ACLs to all IPs, which is no option either). On the other hand, switching from tcp_3306 connections to the cloudsql-proxy may silently kill your application if you don't closely monitor API usage.

The documentation of this project both here on Github as well as on the official Google sites should make this crystal clear. That is not the case today.

On Windows 10 I have gcloud setup and working. I downloaded the binary and without any arguments (per Using automatic instance discovery with gcloud credentials) I saw:

2017/04/18 11:51:31 Using gcloud's active project: myproject-12345
2017/04/18 11:51:33 mkdir myproject-12345:us-central1:test: The filename, directory name, or volume label syntax is incorrect.
2017/04/18 11:51:33 errors parsing config:
        mkdir myproject-12345:us-central1:test: The filename, directory name, or volume label syntax is incorrect.

I guess this is to be expected as Windows does not support : in directory names, but perhaps by default the character should be - or changed for Windows specifically.

After changing the separator in code to - it worked but then I hit:

2017/04/18 11:58:57 Using gcloud's active project: myproject-12345
2017/04/18 11:58:59 errors parsing config:
        invalid "myproject-12345:us-central1:test": unsupported network: unix

And in code it specifically checks if OS is Windows and removes unix from supported list. I wonder if this could be default tcp on Windows?

In the end I got things to work with this: .\cloud_sql_proxy.exe -instances=myproject-12345:us-central1:test=tcp:5433.

I have been having issues with the proxy on Container Engine. I have a Cloud SQL database setup using SSL and allowed ip of 0.0.0.0/0. I want to be able to connect to it with my containers via a service in Kubernetes. I don't want to put a cloudsql-proxy in every one of my pods. Therefore, I believe I need to use the proxy with a TCP port instead of the UNIX socket. I have successfully created the service, secret, and replication controller, however the proxy is giving me the error:

the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credentials_file parameter

I have given it a credentials_file (the secret) and the service account has the Editor role assigned to it. I can run the proxy on my machine (OSX) with the credential file and it works perfectly. Below are my Kubernetes definitions:

Secret

apiVersion: v1
kind: Secret
metadata:
  name: sqlcreds
type: Opaque
data:
  file.json: "<base64encoded service key json file>"

Service

apiVersion: v1
kind: Service
metadata:
  name: mysql
  labels:
    app: mysql
spec:
  ports:
  - port: 3306
  selector:
    app: mysql
    role: proxy

Replication Controller

apiVersion: v1
kind: ReplicationController
metadata:
  name: mysql-proxy
  labels:
    app: mysql
    role: proxy
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mysql
        role: proxy
    spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: sqlcreds
      - name: ssl-certs
        hostPath:
          path: /etc/ssl/certs
      containers:
      - name: proxy
        image: b.gcr.io/cloudsql-docker/gce-proxy
        command: ["/cloud_sql_proxy", "-dir=/cloudsql", "-credential_file=/secret/file.json", "-instances=<redacted>=tcp:3306"]
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: secret-volume
          mountPath: /secret/
        - name: ssl-certs
          mountPath: /etc/ssl/certs

I don't understand where I am going wrong here. I don't quite understand the '/etc/ssl/certs' directory, but I included it anyways. It seems to match your README however it is still getting the errors. I have read through the other issues here and there seems to be a couple of people reporting similar issues. Maybe the docker image hasn't been updated with the latest code? It says it was modified on Apr 18th if that helps.

Our GKE based webapp is unable to connect to Google Cloud SQL right now. I have no idea why this suddenly started happening. We haven't touched the GKE deployment in several days.

Our logs show everything being OK until 14:30:12 CEST today (2017-05-25), when all connections fail with this error:
2017/05/25 15:58:37 couldn't connect to "****:europe-west1:****": Post https://www.googleapis.com/sql/v1beta4/projects/*****/instances/****/createEphemeral?alt=json: oauth2: cannot fetch token: Post https://accounts.google.com/o/oauth2/token: dial tcp: i/o timeout

We are running cloudsql-proxy through the image b.gcr.io/cloudsql-docker/gce-proxy:1.05
I can succesfully connect manually with cloud_sql_proxy from my machine.

I realize this might not be a cloudsql-proxy issue, but any pointers to help me out would be much appreciated.

I've written a bit of a hack that allows me to embed the Cloud SQL Proxy into my Go application, so I don't need to set up or run a separate service from my application. I'm planning on releasing this as an open source library, but then I realized: it would be better if the cloudsql-proxy project supported this natively.

Would the maintainers of this project be interested in working with me to merge some patches to make this easy/possible?

If so, I'll try to clean my patch up, sign the CLA, and submit a pull request. If not, I'll release it as my own open source library. Thanks!

Using the example from Kubernetes.md, I've created a deployment with 2 replicas of the cloudsql-proxy. With versions 1.05 and 1.08, it works. With version 1.09 it fails if replicas is greater than 1 with this message

Error from server (BadRequest): container "cloudsqlproxy" in pod "cloudsqlproxy-3735439449-p58dv" is waiting to start: trying and failing to pull image

The kubernetes dashboard shows this error:

Failed to pull image "b.gcr.io/cloudsql-docker/gce-proxy:1.09": failed to register layer: rename /var/lib/docker/image/overlay/layerdb/tmp/layer-289391082 /var/lib/docker/image/overlay/layerdb/sha256/305e4867f6737b619a7ab334876d503b12fa391a3d28478752575b49d6857e69: directory not empty
Error syncing pod, skipping: failed to "StartContainer" for "cloudsqlproxy" with ErrImagePull: "failed to register layer: rename /var/lib/docker/image/overlay/layerdb/tmp/layer-289391082 /var/lib/docker/image/overlay/layerdb/sha256/305e4867f6737b619a7ab334876d503b12fa391a3d28478752575b49d6857e69: directory not empty"

Setting replicas to 1 or using version 1.08 both make it work.

Example config:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cloudsqlproxy
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: cloudsqlproxy
    spec:
      containers:
      - image: b.gcr.io/cloudsql-docker/gce-proxy:1.09
        name: cloudsqlproxy
        command:
        - /cloud_sql_proxy
        - -dir=/cloudsql
        - -instances=project:us-central1:db-test=tcp:3306
        - -credential_file=/credentials/credentials.json
        ports:
        - name: sqlpxy-prt-wp
          containerPort: 3306
        volumeMounts:
        - mountPath: /cloudsql
          name: cloudsql
        - mountPath: /credentials
          name: service-account-token
          readOnly: true
        - mountPath: /etc/ssl/certs
          name: ssl-certs
          readOnly: true
      volumes:
      - name: cloudsql
        emptyDir:
      - name: service-account-token
        secret:
          secretName: cloudsql-instance-credentials
      - name: ssl-certs
        hostPath:
          path: /etc/ssl/certs

We are seeing an issue where the cloud SQL proxy will fail after a short period of time and has to be restarted. This is leading to "could not connect" errors in our apps. We are running the command in a startup bash script, like this:

#! /bin/bash
# starts proxy
nohup /usr/local/bin/cloud_sql_proxy -instances=instance_string=tcp:3306 > /var/log/cloudproxy/fulllog.log 2>&1 &

Is there any reason this process would stop authenticating randomly? A ps aux | grep proxy still shows the process running, but the server ceases to authenticate. Is there any logging I can perform to find the source of this issue? The fulllog.log above was temporary, but just shows lots of connects and disconnects.

Is the proxy expected to be 175% slower than a direct connection?

Every hour I'm also experiencing some spikes. The first query takes up to 1 second. Could it be some kind of reauthentication?

In my small test, the first query (which creates the connection) takes 5ms without proxy and >15ms with proxy.

Can I do any configuration to reduce the latency?

We should refresh the SSL certificate in the background before it expires. This will avoid the latency spike every hour (as mentioned in #87).

I can't seem to find the Dockerfile or image components for the Docker image compiled from this repo and available at "b.gcr.io/cloudsql-docker/gce-proxy", so those of us using this on GCE as the only way to access Cloud SQL securely are unable to build an image from specific commits so we can for instance rollback to previous non-production breaking changes. Kindly share the Dockerfile or otherwise maintain a version system for the images corresponding to the commits on GitHub.

When ever the command is run, the following error shows up - "listen tcp 127.0.0.1:3306: bind: An attempt was made to access a socket in a way forbidden by its access permissions."

Not able to do anything further, sure the devs would have come across this on windows. Is there a solution ?

This was working for me last week. I suspect it could be related to the scope check fix in #21

The check for onGCE in checkFlags comes before anything would look at the tokenFile provided in -credential_file (or a -token or GOOGLE_APPLICATION_CREDENTIALS for that matter). So if the default service account does not have the sqlservice.admin scope those other auth methods will never be checked.

I'm running in Kubernetes and would prefer to only give access to the pods that need it.

There are probably a lot of verbose logs which do not need to be printed during normal scenarios. It'd be nice to clean this up so that users don't have to ignore a lot of logs that are mostly useful during development.

An option would be to introduce a 'verbose' flag to turn on the more verbose logs.

Some things to clean up:

• During the creation of unix sockets, oftentimes a message will be printed complaining that the socket was not found before it was printed; the proxy should at least ignore errors caused by ENOENT
• Clarify errors from disconnect: it'd be good to know whether the local or remote connection was closed first
• Remove logs from new connections ("Got connection for A_PATH"); it's probably not very useful.

We have a Python application in a GKE cluster that connects to a CloudSQL instance trough cloudsql-proxy. Our connections are effectively going through the proxy, I can see traffic from and to the cloudsqlproxy container and the logs confirm this.

The cloudqslproxy has access granted from the cloudsqlproxy~% hostname and no password.

This is how our Django app config file looks like:

    DATABASES = {
        'default': {
            'ENGINE'    : 'django.db.backends.mysql',
            'NAME'      : 'dbname', 
            'USER'      : 'cloudsqlproxy',
            'PASSWORD'  : '', 
            'HOST'      : '127.0.0.1',
            'PORT'      : '',
        }
    }

And everything works... as long as our compute engine instances hosting the container IP addresses are white listed in SQL Cloud authorized networks section. We have auto-scaling setup and our VM instances are recycled on a regular basis, causing outages because of the new IPs not being whitelisted.

The whole point of clousql-proxy is not needing to grant access from specific IP addresses and this is not working for us at the moment. We are definitely doing something wrong and any help that lead us to find what it is would be greatly appreciated.

We have 2 clusters, a staging and production cluster. We setup our production cluster to use cloud-sql as a pod attached to our app pods to connect to the cloud sql servers.

When we stood up the staging cluster, everything worked except that our apps cloud-sql proxies are throwing this error, all the secrets and associated paths have been changed for the staging cluster.

couldn't connect to " project-name:us-central1:name-db-staging": x509: certificate is valid for project-name:name-db, not project-name:name-db-staging

This is happening for two separate projects, both are saying the production ssl cert is being used, but the db it is trying to connect to is the staging server

Not an issue, more of a recommendation.

I think it's worth updating the README to explain that the user must set the db manually when using from within a Go program.

Rather than the typical:

db, err = sql.Open("mysql", sqluser+":"+sqlpass+"@tcp("+sqlhost+":"+sqlport+")/"+sqldb+"?charset=utf8&parseTime=true&allowAllFiles=true")

It's required to connect to USE a db like this, after calling DialPassword:

_, err = e.Exec("USE " + sqldb)
if err != nil {
	panic(err)
}

Unless I've totally missed the point, in which case, can someone explain the correct way to dial.

I am having an issue connecting to the proxy with PHP/PDO. I followed all the instructions on this page https://cloud.google.com/sql/docs/compute-engine-access and I am able to connect with mysql -u root -p -S /cloudsql/projectid:region:instance and confirm with show databases;. Now my issue when I connect with the PDO I get :

SQLSTATE[HY000] [2002] Permission denied

The DSN I am trying to connect with is mysql:unix_socket=/cloudsql/<projectid>:<region>:<instance>;dbname=<dbname>;charset=utf8. with password.

How did you get this to work with PHP? I am able to confirm that the proxy is connecting in terminal. I am trying to get this to work with PDO running on CentOS. Is this related to Issue: #7?

Thanks

@Carrotman42 pointed out in issue #87 that connection pooling might improve connection latency.

Is it possible that the cloudsql-proxy can handle this itself? If is it best practice it would benefit a lot of projects/users.

Since Postgres is available on Google Cloud Platform as Cloud SQL option (https://cloud.google.com/sql/docs/postgres/), can a dialer be added for this to be used in Go programs?

I'm trying to make the go dialer work (from https://godoc.org/github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/dialers/mysql) from outside of GCE as well as inside kubernetes. I can't use the default service account of the Compute Engine VM, since sometimes I don't run it there. Until now I've been running the proxy on the same machine as the go routine, and then connecting using mysql to 127.0.01:3306 but I'd like to switch to the provided proxy dialer instead.

The example usage from https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/master/tests/dialers_test.go doesn't show how to pass service account credentials.

Any thoughts?

I'm trying to connect to a postgresql instance by using psql -h 127.0.0.1, but that fails with:

psql: server closed the connection unexpectedly
	This probably means the server terminated abnormally
	before or while processing the request.

And in the cloud sql logs I see:

2017/04/05 08:38:23 using credential file for authentication; [email protected]
2017/04/05 08:38:23 Listening on 127.0.0.1:5432 for myproject-157612:europe-west1-c:myproject
2017/04/05 08:38:23 Ready for new connections
2017/04/05 08:39:09 New connection for "myproject-157612:europe-west1-c:myproject"
2017/04/05 08:39:09 couldn't connect to "myproject-157612:europe-west1-c:myproject": ensure that the account has access to "myproject-157612:europe-west1-c:myproject" (and make sure there's no typo in that name). Error during createEphemeral for myproject-157612:europe-west1-c:myproject: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

The service account I'm using has the CloudSQLAdmin role. I have doublechecked that I have no typos in my project name, and have inspected the credentials file that is mounted into the cloudsql pod that it contains the service account credentials that I'm expecting.

The docs says that you have to setup a service account and download the json file and use it in the proxy container as secret.

However, when using this on Google Container Engine you actually do not need any service account json file. The Proxy uses the default service account given by the Google Compute Engine Instance the pod is running on. So if the Cloud SQL API is enabled and the container cluster was configured with full access, then there is no need.

Maybe a short info would be helpful :-)

Im trying to connect to cloud sql from a compute engine instance in my python application. Im running the proxy like this:

nohup ./cloud_sql_proxy -dir=/cloudsql --instances=my-project:us-central1:my-sql-instance=tcp:3307 &

I can successfully connect using the MySql client:

mysql -u root --host 127.0.0.1 --port 3307 -p
mysql> select 1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

I can also connect from a python repl:

>>> from sqlalchemy import create_engine
>>> from sqlalchemy import text
>>> engine = create_engine('mysql+pymysql://root:password@localhost:3307/db')
>>> engine.execute(text("SELECT 1")).fetchone()
(1,)

But, when I run this same code from my application I'll get Network Unreachable errors:

  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1990, in execute
    connection = self.contextual_connect(close_with_result=True)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 2039, in contextual_connect
    self._wrap_pool_connect(self.pool.connect, None),
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 2078, in _wrap_pool_connect
    e, dialect, self)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1405, in _handle_dbapi_exception_noconnection
    exc_info
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 200, in raise_from_cause
    reraise(type(exception), exception, tb=exc_tb, cause=cause)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 2074, in _wrap_pool_connect
    return fn()
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 376, in connect
    return _ConnectionFairy._checkout(self)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 713, in _checkout
    fairy = _ConnectionRecord.checkout(pool)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 480, in checkout
    rec = pool._do_get()
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 1060, in _do_get
    self._dec_overflow()
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py", line 60, in __exit__
    compat.reraise(exc_type, exc_value, exc_tb)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 1057, in _do_get
    return self._create_connection()
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 323, in _create_connection
    return _ConnectionRecord(self)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 449, in __init__
    self.connection = self.__connect()
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py", line 607, in __connect
    connection = self.__pool._invoke_creator(self)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/strategies.py", line 97, in connect
    return dialect.connect(*cargs, **cparams)
  File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 385, in connect
    return self.dbapi.connect(*cargs, **cparams)
  File "/usr/local/lib/python2.7/dist-packages/pymysql/__init__.py", line 88, in Connect
    return Connection(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pymysql/connections.py", line 679, in __init__
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/pymysql/connections.py", line 922, in connect
    raise exc
OperationalError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'localhost' ([Errno 101] Network is unreachable)")

When I ssh back to the box and check the running processes the Cloud SQL proxy is no longer running.

pgrep cloud_sql_proxy
# No longer return a process id

My application is a script so its doing a lot of SQL work so maybe its overloading the proxy? How can I figure out the issue?

When installing the current binary from https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 and running it on a Google Cloud Compute Instance, I get the following error message:

2016/04/17 10:43:57 the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credentials_file parameter

The compute instance has been created with

gcloud compute instances create "$instancename"  --boot-disk-device-name "$instancename" --image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20160114e" --zone "europe-west1-b" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/sqlservice.admin","https://www.googleapis.com/auth/sqlservice","https://www.googleapis.com/auth/cloud.useraccounts.readonly","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management","https://www.googleapis.com/auth/devstorage.read_only" --boot-disk-size "10" --boot-disk-type "pd-standard"

Note the

--scopes default=[..]"https://www.googleapis.com/auth/sqlservice.admin",[..]

The API has been enabled on project level.

It turns out that /cmd/cloud_sql_proxy/cloud_sql_proxy.go is referencing the non-existent scope https://www.googleapis.com/auth/sqladmin

Hey,

I'm trying to deploy cloudsql-proxy, but one of the issues I'm facing is managing releases.

It appears that you only expose one version at a given time (only the tag for 1.05 is visible) which makes it really hard to reproduce a build for an old version.

It also appears that the binaries you provide does not contain the version number, I assume this means that they are always the 'latest'. I'd like to package one specific version and in order to do it securely I want to be able to verify its checksum. If this changes over time (a new version replacing the old one) this will no longer work.

1) 'd like to ask that you provide a URL for downloading the static binaries which include the version number. Guarantee some kind of retention for old versions (e.g. 6 months).
The URLs I'm referring to right now are the ones listed here:
https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases

2) Can we guarantee that tags for old releases remain available after a new release is made available. This would allow us to setup a build for the project, but without it, it would be something we would have to attempt to maintain ourselves.

3) What guarantees do you intend to provide between Major vs. Minor version bumps? You do not appear to use semantic versioning right now so this is unclear.

Thank you for your time!

I'm trying to connect to a postgresql cloudsql instance, from a kubernetes pod, but when I try to establish a connection with psql -h 127.0.0.1, I get:

psql: server closed the connection unexpectedly
	This probably means the server terminated abnormally
	before or while processing the request.

Looking at the logs of the cloudsql pod, I see:

2017/04/04 13:15:53 New connection for "myproject-157612:europe-west1-c:myproject"
2017/04/04 13:15:53 couldn't connect to "myproject-157612:europe-west1-c:myproject": Post https://www.googleapis.com/sql/v1beta4/projects/myproject-157612/instances/myproject/createEphemeral?alt=json: oauth2: cannot fetch token: Post https://accounts.google.com/o/oauth2/token: x509: failed to load system roots and no roots provided

I'm using cloudsqlproxy 1.07, with the following deployment spec:

- image: gcr.io/cloudsql-docker/gce-proxy:1.07
    name: cloudsql
    command: ["/cloud_sql_proxy", "-dir=/cloudsql", "-credential_file=/secret/cloud-sql.json", "-instances=myproject-157612:europe-west1-c:myproject=tcp:5432"]
    volumeMounts:
        - name: cloudsql
          mountPath: /cloudsql
        - name: sql-proxy-secret
          mountPath: /secret/

Am I supposed to mount some SSL certificates inside the cloud sql pod?

Can anyone tell me what i'm doing wrong?

I want to use the proxy in a Kubernetes cluster out of GCE using a service account and your docker image:

docker run -ti -p 3306:3306 -v `pwd`/file.json:/file.json -v `pwd`/ssl-certs:/etc/ssl/certs gcr.io/cloudsql-docker/gce-proxy:1.06 /cloud_sql_proxy -credential_file=/file.json -instances=<myproject>:us-central1:<instance-name>=tcp:0.0.0.0:3306

And then when I try to connect using mysql client, cloud sql proxy binary outputs this:

2017/02/10 14:09:15 using credential file for authentication; email=...@...
2017/02/10 14:09:15 Listening on 0.0.0.0:3306 for <project>:us-central1:<instance-name>
2017/02/10 14:09:15 Ready for new connections
2017/02/10 14:09:41 New connection for "<project>:us-central1:<instance-name>"
2017/02/10 14:09:42 couldn't connect to "<project>:us-central1:<instance-name>": Post https://www.googleapis.com/sql/v1beta4/projects/<project>/instances/<instance-name>/createEphemeral?alt=json: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error" : "invalid_grant",
  "error_description" : "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe"
}

Thanks in advance,

I'm getting an odd failure from following these instructions:

https://github.com/GoogleCloudPlatform/cloudsql-proxy#to-use-from-kubernetes

2016/05/17 23:59:41 Listening on 127.0.0.1:3306 for <project>:<region>:<instance>
2016/05/17 23:59:41 Ready for new connections
2016/05/17 23:59:51 New connection for "<project>:<region>:<instance>"
2016/05/17 23:59:52 couldn't connect to "<project>:<region>:<instance>": ensure that the account has access to "<project>:<region>:<instance>" (and make sure there's no typo in that name). Error during createEphemeral for <project>:<region>:<instance>: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

Looking at the code, createEphemeral is failing, but I'm at a loss as to what is going on with the randomized key that's being created there.

i start the sql proxy using the following command:

exec cloud_sql_proxy -dir=/cloudsql -instances=project:database

When the website is loaded the CPU usage of the proxy rises exponentially. Is there any way around this?

Is there a way to run the scripts to download the proxy, have Google authentication set up, and begin listening for connections from an application in Heroku with the appropriate credentials? I have an application in Heroku with Express routes that connect to a Google Cloud SQL instance, and I would like to use the cloud_sql_proxy to connect it.

I can run the application locally, starting the proxy locally and listening for events. It seems to me that the proxy needs to run on the same machine/instance as the application, so it would seem to have to run in the cloud with Heroku. If so, how do I set up the proxy invocation to do so? Should it be invoked within Node/Express?

It's not clear for me in project1:region:instance1 what to put in instance.

I am using kubernetes with 2 nodes, several services, several deployments. One of the replica sets of one of the deployments has a pod with 2 containers: cloudsql-proxy and my app container

Is it possible to clarify this in docs?