Connecting Google Cloud Compute to Google Cloud SQL ERROR 2013 (HY000)

1
votes

When trying to connect to mysql using the docker cloud proxy like so:

mysql -u <USERNAME> -p -S /cloudsql/<YOUR-PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>

I received this error

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 95

According to the documentation, this is how I'm suppose to setup the proxy

docker run -d -v /cloudsql:/cloudsql \
  -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
  b.gcr.io/cloudsql-docker/gce-proxy /cloud_sql_proxy -dir=/cloudsql \
  -instances=<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>

Here is the documentation for setting it up.

For those who may ask this question, I did set up these params properly 

<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>

The output from the proxy:

2016/03/20 19:49:15 listenInstance: "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:49:15 Remove("/cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>") error: remove /cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>: no such file or directory
2016/03/20 19:49:15 Open socket for "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>" at "/cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:49:15 Socket prefix: /cloudsql
2016/03/20 19:51:29 Got a connection for "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:51:30 couldn't connect to "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>": googleapi: Error 403: Insufficient Permission, insufficientPermissions

And so I looked at my compute instance and my Api access scopes for cloud sql is disabled and I had checked the prerequisites before and they say that if I'm creating my cloud sql and compute instances in the same project then I my compute should have editor permissions. Either way, I can't figure out how to give my compute instance editor privileges for my cloud sql instance.

Please let me know how I can give my compute instance editor privileges for cloud sql.

1
mysqlgoogle-compute-enginegoogle-cloud-platformgoogle-cloud-sql
Can you include the output from the proxy?Vadim
Where do I get that? There was no output when I used the docker run command.Matthew Harrison
Run docker ps to find the Container ID for the proxy, then run docker logs <CONTAINER ID> to see the logs.Vadim
Ok, I added the logs and I think it's a privileges issue.Matthew Harrison
What scopes did you create your GCE instance with? You can find this out by issuing curl -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/service-accounts/default/scopes?recursive=true&alt=text" from your instance. You should see both devstorage.read_write and sqlservice.admin listed there; otherwise, you may need to recreate your instance with adequate scopesasamarin

1 Answers

4
votes

insufficientPermissions indicates that the Compute Engine VM is using the default Compute Engine service account and the Cloud SQL Admin scope was not enabled when the VM was created. In the first step of the guide, you are asked to verify whether the right scopes are present.

There are two options to fix this:

Option a) Create a new VM with the Cloud SQL Admin scope enabled.

When creating a new VM, select Set access for each API in the Identity and API access and switch Cloud SQL to Enabled.

enter image description here

If you are using Instance Templates, make the change described above on the instance template and use it to create the new instance(s).

Alternatively, you may select Allow full access to all Cloud APIs but be aware that this will allow any application on the VM to access any of the Cloud APIs using the service account credentials, which has editor privileges on the project by default.

Option b) Use credentials for a different service account

If creating a new VM is not an option, you can create a new service account, download the credentials file to the VM and use the -credential_file parameter to make the proxy use it. The new service account must be granted at least editor access to the project.

There's an open issue to provide a better error message: https://github.com/GoogleCloudPlatform/cloudsql-proxy/issues/6