I have recently switch my code to another project.
I use the Public IP method addressed in official document but to no avail.
In the log explorer, I have seen a lot of warning entries state that:
CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details:
Post https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_ID>/instances/asia-east1~<CLOUD_SQL_INSTANCE>:generateEphemeralCert?alt=json&prettyPrint=false: rpc error: code = PermissionDenied desc = IAM permission denied for service account gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com.
Things I have confirmed and checked:
New cloud SQL and app engine are on the same project
Cloud SQL Admin API is enabled
App engine region is asia-east1 (same as the cloud SQL region)
App engine service account and GAE cloud deploy accounts have Cloud SQL Admin role
Default service account [PROJECT_ID]#appspot.gserviceaccount.com has the following roles:
Cloud SQL Admin, Editor, Service Account Token Creator, Storage Object Admin
Created service account gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com has the following roles:
App Engine Service Admin, Cloud Build Service Account, Cloud SQL Admin, Cloud SQL Client, Serverless VPC Access User, Service Account User
According to the documents, Cloud SQL Client role is enough. But the logs keep telling me that the service account cannot access the cloud sql admin API.
What am I doing wrong? Or which additional IAM roles should I grant to the service accounts?
I have tried the similar steps mentioned on this github thread comment.
Steps I have done:
remove ALL roles for both default app engine service account [PROJECT_ID]#appspot.gserviceaccount.com and gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com
Add the same roles back
Rebuild app engine
Now everything is usual
Related
Goal:
Assign appropriate Azure SQL database privileges to App Service Web Site's system service principal (or better yet) the user assigned service principal.
Background:
After having followed along with Alexandre's tutorial on creating Azure SQL administrators I created a simple Blazor Server App that can insert entries into a simple Azure SQL resident table because the system assigned service principal of the Azure App Service Web site is an administrator for the Azure SQL database.
Problem:
Database administrator privileges are not appropriate or necessary for the Azure App Service Web site. I need to endow the Azure App Service Web site with minimal privileges (such as db_datawriter) to be consistent with Microsoft's recommend best practices.
What is Working (Updated):
I've been following along with Jesse's tutorial where he endows his account as the Azure SQL administrator and creates new accounts with limited roles like db_datareader and dt_datawriter and db_ddladmin. This was not working previously (when I first posted).
Tue May 24 2022 Update:
I started over again (with a new azure SQL database) following Jesse's tutorial and I can now
log into the Query Explorer
create a user
grant access to that user to update, select and insert into a table
Connect with SSMS with no password and access the database tables as that user
Run my blazor app and insert into the table as well (with no password!)
New Questions (Tue May 24 2022):
When I deploy my blazor app to Azure AppService Web app, it cannot connect.
How do I write bicep code to grant my azure app service resident blazor app access to my azure SQL database? I think I need to use the system assigned service principal for the web app (does this have a password?) and use SQLCMD.EXE to execute those CREATE USER and ALTER ROLE commands. How do I do that? The problem is that the system assigned service principal of the web app is not an active directory object. Conversely, "az ad user show" does not have a principalId I can use as a user assigned service principal that I could assign to the web app.
So when I am running on my desktop dev machine, DefaultAzureCredential is detecting that I am logged to Azure with the Microsoft account and I can debug my blazor app on my dev machine...
How do I configure Azure SQL to allow access from the Azure App Service web app as well as access from my desktop dev machine? This is easy to do with cosmos SQL and I'm thinking it should be possible with Azure SQL as well.
Thanks
Siegfried
This article I recently published should be able to help you: https://dev.to/azure/create-and-connect-to-an-azure-sql-db-9k0. And yes, this sentences you mentioned "it looks like this is the way to conform to the Microsoft recommend Best Practices of abandoning passwords in favor of service principals and managed identities", is definitely correct.
I have set up 2 projects in my Google Cloud console. The following are the two projects that I have set up in my console.
1. Cloud SQL + App Engine
2. App Engine (New)
So the idea is App Engine (1) is running the same database as App Engine (2). I have already set up the IAM Permission Page and IAM Admin and Project Page.
I have given both projects as Project Editor role too, but still my (2) still can't connect to my (1) database.
Any help please?
Granting access to an application does not automatically enable a database user account to connect to the instance.
You may connect through a proxy, in which case you should follow these steps:
Enable the API
Install the proxy client on your local machine
Determine how you will authenticate the proxy
If required by your authentication method, create a service account
Determine how you will specify your instances for the proxy
Start the proxy
Update your application to connect to Cloud SQL using the proxy
You can find related details on the Connecting to Cloud SQL from External Applications.
This documents provides steps that cover configuring access for IP connections as well.
If you connect from within the app engine environment, you may have a look at Connecting from App Engine.
we're using Google App Engine and Cloud SQL for a django web app. We want to run migrations during the build; however, GAE uses Container Registry to build the app, and Container Registry not authenticated to access Cloud SQL. So, as expected, the migrations fail to due to a rejected connection.
How does someone authorize Container Registry to access Cloud SQL?
When you say:
GAE uses Container Registry to build the app, and Container Registry not authenticated to access Cloud SQL.
I assume that you mean:
GAE uses Container Builder to build the app, and the Container Builder Service Account is not authenticated to access Cloud SQL.
Assuming that's what you need, this document explains how to use IAM to grant additional permissions to the Service Account: https://cloud.google.com/container-builder/docs/how-to/service-account-permissions
If you are in fact asking a different question, please clarify, including an example that demonstrates the problem you are having.
How to connect Google Cloud SQL with Apps (like Google App Engine) and Tools like (mySQL workbench) in a secure way?
In this document we'll see how to create a Google Cloud SQL Instance and connect them in your Google App Engine application and MySQL Workbench admin tool.
Google Cloud SQL:
Google Cloud SQL is a fully-managed database service that makes it easy to set-up, maintain, manage and administer your relational MySQL databases in the cloud.
Google Cloud SQL provides a relational database that you can use with your App Engine application. Cloud SQL is a MySQL database that lives in Google's cloud.
refer:
https://cloud.google.com/sql/
https://cloud.google.com/sql/docs/
Creating SQL Instances:
A Google Cloud SQL instance is a MySQL database hosted in Google's cloud.
Go to the Cloud SQL Instances page in the Google Cloud Platform
Console (https://console.cloud.google.com/sql/instances) and Click
Create instance.
Click Choose First Generation, Enter a name and Choose a tier for
the instance and Click Create.
After the instance finishes initializing, select the instance to
open it.
In Access Control > Users, Click Create user account and create a
user with name root and specify a password (root_password). This
creates the MySQL user 'root'#'%'.
In Databases, Click New Database and create a database with a
DataBase name (DataBase_Name)
MySQL Workbench:
MySQL Workbench is a unified visual tool for database architects, developers, and DBAs. MySQL Workbench provides data modeling, SQL development, and comprehensive administration tools for server configuration, user administration, backup, and much more.
refer http://www.mysql.com/products/workbench/
Now we'll see how to connect to your Google Cloud SQL instance database with MySQL Workbench.
Configuring access
Go to the Cloud SQL Instances page in the Google Cloud Platform
Console and select the instance.
In Access Control > IP address, Click Request IPv4 adddress and copy
it(Instance_IPv4_address). It is needed to connect your Google Cloud
SQL instance database with Admin tools like MySQL Workbench.
note: You will be charged for IPv4 address # $0.01 each hour the instance is inactive and $0.1 each hour the instance is active
Google 'ip address' to find your public IP address
In Access Control > Authorization > Authorized networks, click Add
network and enter your IP address.
In Access Control > Users, Create a user with username (userName),
password (password) and the option 'Allow any host selected'. It is
recommended to use a seperate user account to access from WorkBench
Connecting
In the MySQL Workbench home view, click New Connection.
In the Setup New Connection window, provide a Connection Name,
Hostname and Username
Click Test Connection. You will be prompted for a password.
Once the MySQL connection is made successful, Click OK and click on
the saved connection to open SQL Editor
Google App Engine:
Google App Engine is a platform for building scalable web applications and mobile backends. App Engine will scale your application automatically.
refer https://cloud.google.com/appengine
Now we'll see how to set up a connection between an App Engine application and a Cloud SQL instance.
Configuring access
Go to the Cloud SQL Instances page in the Google Cloud Platform
Console and select the instance.
In Access Control > Authorization > Authorized App Engine
applications, click Add application ID and enter the application ID.
Click Done and Save.
In Overview > Properties Copy the 'Instance connection name'
(Instance_Connection_Name)
In your Google Web Application Project,
war/WEB-INF/appengine-web.xml add,
true
Code sample:
An Exaple for Google App Engine - Java Standard Environment
public static Connection connect() throws ClassNotFoundException, SQLException {
String url = null;
{
if (SystemProperty.environment.value() == SystemProperty.Environment.Value.Production) {
// Connecting from App Engine.
Class.forName(Messages.getString("com.mysql.jdbc.GoogleDriver"));
url = Messages.getString("jdbc:google:mysql://{{Instance_Connection_Name}}/{{DataBase_Name}}?user=root&password={{root_password}}");
} else {
// Connecting from an external network or localhost
Class.forName(Messages.getString("com.mysql.jdbc.Driver"));
url = Messages.getString("jdbc:mysql://{{Instance_IPv4_address}}:3306/{{DataBase_Name}}?user={{userName}}&password={{password}}");
}
Connection conn = DriverManager.getConnection(url);
return conn;
}
}
I would like to add to what Newton said:
The instance connection name is not just your "project_id:instance_id". Please go to the Google Cloud SQL Instance Overview page and copy the value in 'Instance connection name' field. Often 'Instance connection name' has region names or other values included, so be careful to replace it.
I have a Google Cloud SQL project : cwdataproject (Project ID). I have created a schema named cwdb in it. Its Instance ID is : cwdataproject:cwinstance
I have provided access and privilege to cwdb for root user "root"
I have another app Google App Engine : messageframework (Project ID)
Project ID: messageframework
I have provided Authorized App Engine Applications in cwdataproject for messageframework
I have provided Authorized Networks for my local IP. and I am able to connect from local My SQL client successfully.
My code to connect Google Cloud SQL from messageframework app is as below.
Code:
Class.forName("com.mysql.jdbc.GoogleDriver");
url = "jdbc:google:mysql://cwdataproject:cwinstance/cwdb?user=ajoysinha;
DriverManager.getConnection(url);
But is is giving the following error
Access denied for user 'root'#'localhost' (using password: NO)
How can we resolve this connectivity problem?
I am able to connect Cloud SQL from my local MySql client and do all the operation. but not from GAE.