Service account not assigned to CloudSQL instance

0
votes

I would need to have a CloudSQL instace created with particular service account. Trying API call instances.insert:

POST https://www.googleapis.com/sql/v1beta4/projects/{project}/instances
{
  "serviceAccountEmailAddress": "<my account>@managed-gcp.iam.gserviceaccount.com",
  "name": "pvtest20200611-3",
  "settings": {
    "tier": "db-n1-standard-1"
  },
  "databaseVersion": "MYSQL_5_7"
}

The instance is created but it has a generated svc account (e.g. [email protected]) instead of mine.

For my SA, I have storage admin/storage object admin roles assiged (this is what I would need newly created instances to always have). I also added cloudsql admin role. When I thought it was a role problem so even tried the Project Editor role, but this didn't work.

I have tried MySQL and Postgres db types.

Would you know why is not my account picked up, why is CloudSQL engine always assigning it's own? What are requirement/setup for custom SA to work with CloudSQL instance?

1
google-cloud-sql
If you think my answer helped you, please, consider upvoting/accepting it.gso_gabriel
Will do, thanks. I was mislead by API documentation (that is not saying that the field is output-only).premysl

1 Answers

0
votes

When you create an instance in Cloud SQL, it will use the default one during the creation, so, you won't be able to set a custom one during the creation.

It's possible, however, for you to give access and permissions for a Service Account after the creation. As explained in the official documentation Granting roles to a service account for specific resources, you can provide specific permissions to your Service Account. You can try using the gcloud command as follows:

gcloud projects add-iam-policy-binding my-project-123 \
  --member serviceAccount:[email protected] \
  --role roles/editor

Besides that, you can also check all your available Service Accounts using this link here, to verify if your custom one is there and even add the permissions via UI, if you think it's better via this way.

Let me know if the information helped you!