1

I am trying to Connect Both Public Cloud SQL and Data Fusion instances but ended up receiving the 403 error.

Failed to create connection to database via connection string: jdbc:postgresql:///analytics?cloudSqlInstance=chatbot-dev-356403:europe-central2:chatbot&socketFactory=com.google.cloud.sql.postgres.SocketFactory and arguments: {user=chatbot-dev}. Error: GoogleJsonResponseException: 403 Forbidden { "code" : 403, "errors" : [ { "domain" : "global", "message" : "The client is not authorized to make this request.", "reason" : "notAuthorized" } ], "message" : "The client is not authorized to make this request." }. Make sure you specify the correct connection properties.

I am not sure if it's a permission issue. I have the following permissions in my service account added during Data fusion instance creation:

roles/storage.admin
roles/datafusion.admin
roles/datafusion.runner
roles/datafusion.serviceAgent
roles/dataproc.worker
roles/cloudsql.admin
roles/cloudsql.client

Also I can see another service account in the instance but Not sure if I have to add permissions to this account too?

Ahmad Coachendo
  • 61
  • 5

1 Answers1

2

Have you followed the instructions here: https://cloud.google.com/data-fusion/docs/how-to/reading-from-postgresql ?

I had the same problem because I was looking to the Service Account and Dataproc service account defined in the Data Fusion instance, but those are not the service accounts requiring permissions.

I had to:

  1. Go into the IAM
  2. Select the Grant Access action.
  3. Find the service-PROJECT_NUMBER@gcp-sa-datafusion.iam.gserviceaccount.com service account and grant the roles at step #13 in the link I sent.

After performing those actions everything worked fine.

Please let us know if that works out for you.

Tiago Seixas
  • 116
  • 1
  • 8
  • Yes It Does! You are absolutely right. The account made me confuse but finally found a single log entry pointing to the account that you mentioned. Thanks! – Ahmad Coachendo Dec 22 '22 at 15:16