Default Compute Engine service account cant access Cloud SQL

Question

Im trying to get my compute engine instance to communicate with Cloud SQL using the Proxy. I keep getting this error when I try to start the proxy:

the default Compute Engine service account is not configured with sufficient permissions to access the Cloud SQL API from this VM. Please create a new VM with Cloud SQL access (scope) enabled under "Identity and API access". Alternatively, create a new "service account key" and specify it using the -credentials_file parameter

When I describe my instance using gcloud compute instances describe the service account and scopes are:

serviceAccounts:
- email: 123456-compute@developer.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/devstorage.full_control
  - https://www.googleapis.com/auth/logging.write
  - https://www.googleapis.com/auth/monitoring.write
  - https://www.googleapis.com/auth/sqlservice
  - https://www.googleapis.com/auth/sqlservice.admin

I can get this working if I create a new instance with full scope permissions:

serviceAccounts:
- email: 123456-compute@developer.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/cloud-platform

But this seems less secure than just specifying the scopes I need.

Answer 1

It is an issue fixed in https://github.com/GoogleCloudPlatform/cloudsql-proxy/pull/21.

We will roll out a new release on Monday (4/18). Or you can compile from the source on github. Sorry for the inconvenience.