Reputation: 221
Can't access Google Cloud SQL instance from different GCP project, despite setting IAM permissions
I'm attempting to access a Google Cloud SQL instance stored on one Cloud Platform project from an App Engine application on another project, and it's not working.
Connections to the SQL instance fail with this error:
OperationalError: (2013, "Lost connection to MySQL server at 'reading initial communication packet', system error: 38")
I followed the instructions in Google's documentation and added the App Engine service account for the second project to the IAM permissions list for the project housing the Cloud SQL instance (with "Cloud SQL Editor" as the role). The connection details and configuration I'm using in my app are identical to those being used in a perfectly functioning App Engine app housed in the same project as the Cloud SQL instance.
The only thing that seems off about my configuration is that in my second GCP project, while an App Engine service account that looks like the default one ([MY-PROJECT-NAME]@appspot.gserviceaccount.com) appears in the IAM permissions list, this service account is not listed under the Service Accounts tab of IAM & Admin. The only service account listed is the Compute Engine default service account. I haven't deleted any service accounts; there's never been an App Engine default service account listed here, but apart from the MySQL connection the App Engine app runs fine.
Not sure if it's relevant, but I'm running a Python 2.7 app on the App Engine Standard Environment, connecting using MySQLdb.
Upvotes: 5
Views: 4183
Answers (1)
Reputation: 221
Figured it out eventually - perhaps this will be useful to someone else encountering the same problem.
Problem:
The problem was that the "Cloud SQL Editor" role is not a superset of the "Cloud SQL Client", as I had imagined; "Cloud SQL Editor" allows administration of the Cloud SQL instance, but doesn't allow basic connectivity to the database.
Solution:
Deleting the IAM entry granting Cloud SQL Editor permissions and replacing it with one granting Cloud SQL Client permissions fixed the issue and allowed the database connection to go through.
Upvotes: 8
Related Questions
- Django on Google App Engine connection to Cloud SQL, cannot connect
- Connecting App Engine to Cloud SQL Access Denied
- Connecting to GCP Cloud SQL from App Engine in separate project
- Cloud SQL Access denied
- CloudSQL Second Generation -- can't authorize application to access
- Connecting to Google Cloud SQL from App Engine: access denied
- Google Cloud SQL: Can't add authorized application
- Unable to access Google Cloud SQL instance in dev_appserver with Django
- appengine cannot connect to google cloud sql with non ROOT user
- Cannot authorize my google app to access my Cloud SQL instance