Cannot connect to Google cloud SQL from App Engine Standard Environment

Question

I have recently switch my code to another project. I use the Public IP method addressed in official document but to no avail.

In the log explorer, I have seen a lot of warning entries state that:

CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details:

Post https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_ID>/instances/asia-east1~<CLOUD_SQL_INSTANCE>:generateEphemeralCert?alt=json&prettyPrint=false: rpc error: code = PermissionDenied desc = IAM permission denied for service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com.

Things I have confirmed and checked:

• New cloud SQL and app engine are on the same project
• Cloud SQL Admin API is enabled
• App engine region is asia-east1 (same as the cloud SQL region)
• App engine service account and GAE cloud deploy accounts have Cloud SQL Admin role
• Default service account [PROJECT_ID]@appspot.gserviceaccount.com has the following roles:
  • Cloud SQL Admin, Editor, Service Account Token Creator, Storage Object Admin
• Created service account gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com has the following roles:
  • App Engine Service Admin, Cloud Build Service Account, Cloud SQL Admin, Cloud SQL Client, Serverless VPC Access User, Service Account User

According to the documents, Cloud SQL Client role is enough. But the logs keep telling me that the service account cannot access the cloud sql admin API.

What am I doing wrong? Or which additional IAM roles should I grant to the service accounts?

Answer 1

I have tried the similar steps mentioned on this github thread comment. Steps I have done:

• remove ALL roles for both default app engine service account [PROJECT_ID]@appspot.gserviceaccount.com and gae-deploy@<PROJECT_ID>.iam.gserviceaccount.com
• Add the same roles back
• Rebuild app engine

Now everything is usual