How to fix: 403 Error with Google Cloud SQL Export

1
votes

I am attempting to export a full SQL dump of one of our Cloud SQL Postgres instances to Google Cloud Storage so we can have more frequent backups using the google-api-go-client (https://github.com/googleapis/google-api-go-client)

Not matter what I configure, I keep getting this error: panic: googleapi: Error 403: The client is not authorized to make this request., notAuthorized from sqladminService.Instances.Export.

I have a service account configured with the following permissions:

  • Cloud SQL Admin
  • Storage Admin
  • Compute Storage Admin (for something else)

The bucket I am exporting to inherits permissions from the Storage Admin role.

Code: ./k8s/sql.go

package gcp

import (
    "fmt"
    "time"

    "golang.org/x/net/context"
    "golang.org/x/oauth2/google"
    sqladmin "google.golang.org/api/sqladmin/v1beta4"
)

type SQLService interface {
    Test(project string) error
}

type sqlService struct {
    context         context.Context
    sqladminService *sqladmin.Service
}

func NewSQLService(serviceAccountJSON []byte) (SQLService, error) {
    context := context.Background()

    jwtCfg, err := google.JWTConfigFromJSON(serviceAccountJSON, sqladmin.SqlserviceAdminScope, sqladmin.CloudPlatformScope)
    if err != nil {
        return sqlService{}, err
    }
    httpClient := jwtCfg.Client(context)

    sqladminService, err := sqladmin.New(httpClient)
    if err != nil {
        return sqlService{}, err
    }

    return sqlService{
        context:         context,
        sqladminService: sqladminService,
    }, nil
}

func (s sqlService) Test(project string) error {
    instance := "REGION:INSTANCE_NAME

    storageURI := fmt.Sprintf("gs://BUCKET/FILE-%s.sql.gz", time.Now().Format(time.RFC3339))
    databases := []string{"DATABASE"}

    req := &sqladmin.InstancesExportRequest{
        ExportContext: &sqladmin.ExportContext{
            Uri:       storageURI,
            Databases: databases,
        },
    }

    _resp, err := s.sqladminService.Instances.Export(project, instance, req).Context(s.context).Do()
    if err != nil {
        return err
    }

    return nil
}

Test code:

func Test(cfg config.Config) {
    sql, err := gcp.NewSQLService(cfg.GCPServiceAccountEncodedCreds)
    if err != nil {
        panic(err)
    }

    err = sql.Test(cfg.Project)
    if err != nil {
        panic(err)
    }
}

Any help would be appreciated

1
google-cloud-sql
In this instance := "REGION:INSTANCE_NAME can you try "Projectid:Region:Instance_name" or "Instance_name"?TasosZG
And in general, are you able to make any operation other than export?TasosZG

1 Answers

0
votes

The documentation for InstancesExport shows that the required parameters are the "projectId" and the "instanceId". You have declared instance as "REGION:INSTANCE_NAME" - but what you really want is "INSTANCE_NAME".

You aren't authorized to view that instance (because in this case, it doesn't exist).