I'm trying to run Google Cloud SQL proxy locally like this:
$ ./cloud_sql_proxy -instances project-name:region-name:instance-id tcp:3306
But it's returning
google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for mor information.
My Google Cloud SDK is already installed and logged in to Google.
How do I fix this?
Two problems may be generating your problem.
To find what is login, using:
gcloud auth login
If you have a recent version of gcloud you will get:
WARNING: `gcloud auth login` no longer writes application default credentials.
To make your local application use your credentials you need to do (ref):
gcloud auth application-default login
If you don't see this warning consider updating gcloud, with:
gcloud components update
After login, you should see:
Your current project is [project-id].
Once again two solutions:
If you are not seeing this, do (ref):
gcloud config set project PROJECT_ID
--project flag in the callIn your command associate a project:
.\cloud_sql_proxy -instances=project-id:region-name:instance-id=tcp:3306 --project=project-id
Google application default credentials are managed separately from gcloud credentials.
Use
gcloud auth application-default login
instead to setup your user credentials as application default. See reference for more info.
Previously gcloud auth login did this, but with more recent Cloud SDK versions this is no longer the case.
Note that switching gcloud configuration or setting account will not update application default credentials. Only commands in gcloud auth application-default can be used to manage these.
Also to use service account as application default credential you can use it directly by downloading its json key from developer console.
gcloud auth application-default login and using external service account json key.
Commented
Dec 20, 2016 at 2:27
GOOGLE_APPLICATION_CREDENTIALS environment variable set? Also have your tried to use -credential_file parameter?
Instead of running gcloud auth application-default login you need to expose the location of your service account json file using the variable $GOOGLE_APPLICATION_CREDENTIALS
e.g. echo "export GOOGLE_APPLICATION_CREDENTIALS=${TF_VAR_gcp_service_account_file_loc}" >> $BASH_ENV (if you need to move env vars between steps/jobs). $BASH_ENV is a special property exposed by CircleCI, if you use a different CI/CD tool you will need to find the location of the bash profile.
or simply export GOOGLE_APPLICATION_CREDENTIALS=[path-to-service-account-json-file] for use within the same step
In this scenario using cloud_sql_proxy, the approach is to use GCP-GSA (service accounts), download cloud sql proxy :
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
create a proxy user :
gcloud iam service-accounts create proxy-user --display-name "proxy-user"
gcloud iam service-accounts list
[SERVICE_ACCOUNT_EMAIL] is the email on sql instance details .
gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudsql.client
gcloud iam service-accounts keys create key.json --iam-account [SERVICE_ACCOUNT_EMAIL]
gcloud sql instances describe [INSTANCE_ID] | grep connectionName
CREATE A KEY JSON FILE FOR THE KUBE ENGINE
./cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306 -credential_file=key.json &
kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=key.json
Your deployment :
apiVersion: apps/v1
kind: Deployment
metadata:
name: <DEPLOYMENT-NAME>
spec:
selector:
matchLabels:
app: <APPLICATION-NAME>
template:
metadata:
labels:
app: <APPLICATION-NAME>
spec:
serviceAccountName: <KSA-NAME>
containers:
- name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- "/cloud_sql_proxy"
- "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
securityContext:
runAsNonRoot: true
