Cloud SQL proxy cannot connect to a database using a second service account with same permissions

1
votes

After following the tutorial Connecting [Postgres] from Kubernetes Engine, I was able to have my app server connect to my Postgres database thru a Cloud SQL Proxy and a service account that grants the "SQL Client", "SQL Editor" and "SQL Admin" permissions.

But, after following this tutorial a second time (to create a second database, for use from another cluster), and hence creating a second service account with the same permissions, I realised that I could only connect my second Cloud SQL database using my first service account!

Every time I tried to use the second service account (which, again, grants access to the exact same 3 permissions!), I was getting couldn't connect to "project:region:instance" errors...

Context: I know that instance-based permissions are not supported by Cloud SQL yet, but I would like to have dedicated service accounts for each of my 2 databases if possible, and do not understand why a second service account with same permissions does not work.

1
google-cloud-platformgoogle-cloud-sqlservice-accountsgoogle-kubernetes-enginecloud-sql-proxy
It might be related to this: Your cloudsql-instance-credentials file is generated based on your service account. Did you generate a second one and added this new credential file to your volumes?amport
Thanks @Mangu! I believe I had! That said, a colleague was able to create his own service account and connect to both databases with it, so we're good. Note: the "CloudSQL Client" permissions were enough for this.Adrien Joly
May I ask you to post as an answer how your peer was able to do this? If possible, of course. It looks like an interesting situation.amport

1 Answers

3
votes

First of all, you only need Cloud SQL Client role for your cloud sql proxy. Other roles are not required.

Secondly, are you using the app server from the same kubernetes cluster. Are you trying to use kubernetes same secret cloudsql-instance-credentials for both the services accounts.

If yes, thats the problem. You need to either update the cloudsql-instance-credentials secret with the new credentials json for the second service account.

Alternatively, you may keep two secret objects as cloudsql-instance-credentials-service-account-1 and cloudsql-instance-credentials-service-account-2. And, update the config yml to mount the required secret like below,

  - name: cloudsql-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    command: ["/cloud_sql_proxy", "--dir=/cloudsql",
              "-instances=<instance_connection_name>=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-instance-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
  volumes:
    - name: cloudsql-instance-credentials
      secret:
        secretName: cloudsql-instance-credentials-service-account-2