2

I have recently switch my code to another project. I use the Public IP method addressed in official document but to no avail.

In the log explorer, I have seen a lot of warning entries state that:

CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details:

Post https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_ID>/instances/asia-east1~<CLOUD_SQL_INSTANCE>:generateEphemeralCert?alt=json&prettyPrint=false: rpc error: code = PermissionDenied desc = IAM permission denied for service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com.

Things I have confirmed and checked:

  • New cloud SQL and app engine are on the same project
  • Cloud SQL Admin API is enabled
  • App engine region is asia-east1 (same as the cloud SQL region)
  • App engine service account and GAE cloud deploy accounts have Cloud SQL Admin role
  • Default service account [PROJECT_ID]@appspot.gserviceaccount.com has the following roles:
    • Cloud SQL Admin, Editor, Service Account Token Creator, Storage Object Admin
  • Created service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com has the following roles:
    • App Engine Service Admin, Cloud Build Service Account, Cloud SQL Admin, Cloud SQL Client, Serverless VPC Access User, Service Account User

According to the documents, Cloud SQL Client role is enough. But the logs keep telling me that the service account cannot access the cloud sql admin API.

What am I doing wrong? Or which additional IAM roles should I grant to the service accounts?

Improve this question
7
  • When you say you've switched to another project, does that mean your app is in one project and the Cloud SQL instance is in another project? If so, you'll need to ensure the service account associated with the app is a member of the other project. Commented Apr 14, 2022 at 17:43
  • new app engine and new cloud sql are on the same project Commented Apr 14, 2022 at 18:14
  • I would expect that if the Admin API were enabled, the App Engine service account had Cloud SQL Client, and the instance connection name was correct, it would work. Try verifying your instance connection name which should be ` /cloudsql/INSTANCE_CONNECTION_NAME`. Commented Apr 14, 2022 at 19:42
  • yes, /cloutsql/instance_onnection_name is what I use for connection. I found a github thread with a similar problem. Not sure whether it is the same case. github.com/GoogleCloudPlatform/cloudsql-proxy/issues/… Commented Apr 15, 2022 at 1:47
  • 1
    Glad to hear, but sorry to hear that this bug bit you. Seems that old service accounts might have this problem. Commented Apr 15, 2022 at 19:43

1 Answer 1

Reset to default
1

I have tried the similar steps mentioned on this github thread comment. Steps I have done:

  • remove ALL roles for both default app engine service account [PROJECT_ID]@appspot.gserviceaccount.com and gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com
  • Add the same roles back
  • Rebuild app engine

Now everything is usual

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.