1

After following the tutorial Connecting [Postgres] from Kubernetes Engine, I was able to have my app server connect to my Postgres database thru a Cloud SQL Proxy and a service account that grants the "SQL Client", "SQL Editor" and "SQL Admin" permissions.

But, after following this tutorial a second time (to create a second database, for use from another cluster), and hence creating a second service account with the same permissions, I realised that I could only connect my second Cloud SQL database using my first service account!

Every time I tried to use the second service account (which, again, grants access to the exact same 3 permissions!), I was getting couldn't connect to "project:region:instance" errors...

Context: I know that instance-based permissions are not supported by Cloud SQL yet, but I would like to have dedicated service accounts for each of my 2 databases if possible, and do not understand why a second service account with same permissions does not work.

Adrien Joly
  • 5,056
  • 4
  • 28
  • 43
  • 1
    It might be related to [this](https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#5_create_your_secrets): Your `cloudsql-instance-credentials` file is generated based on your service account. Did you generate a second one and added this new credential file to your volumes? – Mangu Aug 21 '18 at 07:50
  • 1
    Thanks @Mangu! I believe I had! That said, a colleague was able to create his own service account and connect to both databases with it, so we're good. Note: the "CloudSQL Client" permissions were enough for this. – Adrien Joly Aug 30 '18 at 10:48
  • May I ask you to post as an answer how your peer was able to do this? If possible, of course. It looks like an interesting situation. – Mangu Aug 30 '18 at 11:10

1 Answers1

4

First of all, you only need Cloud SQL Client role for your cloud sql proxy. Other roles are not required.

Secondly, are you using the app server from the same kubernetes cluster. Are you trying to use kubernetes same secret cloudsql-instance-credentials for both the services accounts.

If yes, thats the problem. You need to either update the cloudsql-instance-credentials secret with the new credentials json for the second service account.

Alternatively, you may keep two secret objects as cloudsql-instance-credentials-service-account-1 and cloudsql-instance-credentials-service-account-2. And, update the config yml to mount the required secret like below,

  - name: cloudsql-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    command: ["/cloud_sql_proxy", "--dir=/cloudsql",
              "-instances=<instance_connection_name>=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-instance-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
  volumes:
    - name: cloudsql-instance-credentials
      secret:
        secretName: cloudsql-instance-credentials-service-account-2
Narendra
  • 382
  • 2
  • 8
  • 1
    You're right about the role! I have two instances of the same app server: one per cluster (`prod` and `dev`). It could be that I was using the wrong `cloudsql-instance-credentials` indeed. Thank you, @Narendra! – Adrien Joly Aug 30 '18 at 11:35
  • I would just add (for these who need), the alias name for the role is `roles/cloudsql.client`. Thanks for great answer – confiq Dec 27 '21 at 14:55