we're using Google App Engine and Cloud SQL for a django web app. We want to run migrations during the build; however, GAE uses Container Registry to build the app, and Container Registry not authenticated to access Cloud SQL. So, as expected, the migrations fail to due to a rejected connection.
How does someone authorize Container Registry to access Cloud SQL?
When you say:
GAE uses Container Registry to build the app, and Container Registry not authenticated to access Cloud SQL.
I assume that you mean:
GAE uses Container Builder to build the app, and the Container Builder Service Account is not authenticated to access Cloud SQL.
Assuming that's what you need, this document explains how to use IAM to grant additional permissions to the Service Account: https://cloud.google.com/container-builder/docs/how-to/service-account-permissions
If you are in fact asking a different question, please clarify, including an example that demonstrates the problem you are having.
Related
I have recently switch my code to another project.
I use the Public IP method addressed in official document but to no avail.
In the log explorer, I have seen a lot of warning entries state that:
CloudSQL warning: your action is needed to update your application and avoid potential disruptions. Please see https://cloud.google.com/sql/docs/mysql/connect-app-engine-standard for additional details:
Post https://sqladmin.googleapis.com/sql/v1beta4/projects/<PROJECT_ID>/instances/asia-east1~<CLOUD_SQL_INSTANCE>:generateEphemeralCert?alt=json&prettyPrint=false: rpc error: code = PermissionDenied desc = IAM permission denied for service account gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com.
Things I have confirmed and checked:
New cloud SQL and app engine are on the same project
Cloud SQL Admin API is enabled
App engine region is asia-east1 (same as the cloud SQL region)
App engine service account and GAE cloud deploy accounts have Cloud SQL Admin role
Default service account [PROJECT_ID]#appspot.gserviceaccount.com has the following roles:
Cloud SQL Admin, Editor, Service Account Token Creator, Storage Object Admin
Created service account gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com has the following roles:
App Engine Service Admin, Cloud Build Service Account, Cloud SQL Admin, Cloud SQL Client, Serverless VPC Access User, Service Account User
According to the documents, Cloud SQL Client role is enough. But the logs keep telling me that the service account cannot access the cloud sql admin API.
What am I doing wrong? Or which additional IAM roles should I grant to the service accounts?
I have tried the similar steps mentioned on this github thread comment.
Steps I have done:
remove ALL roles for both default app engine service account [PROJECT_ID]#appspot.gserviceaccount.com and gae-deploy#<PROJECT_ID>.iam.gserviceaccount.com
Add the same roles back
Rebuild app engine
Now everything is usual
I've followed the following tutorial step by step.
I've tried the following:
Installing the App Engine phpMyAdmin on the same project as my Cloud SQL server.
Installing it a different project and adding the right IAM roles (Cloud SQL Admin)
I can't for the life of me get it to connect. I get the following error:
It's unclear how you are trying to connect based on the info you have provided. To connect on App Engine, you need to use the provided unix domain socket at /cloudsql/<INSTANCE_CONNECTION_NAME> (the instance connection name can be found on your instances details page, and is in the format <project>:<region>:<instance>).
For more details on connecting from App Engine, check out the Connecting from App Engine page.
I am building a backend for an application with Google App Engine and Cloud SQL.
I do have:
A webserver as a proxy in front of my API server which handles sessions (using Cloud SQL and memcache) and calls the API
An API server which has access to the resource in the Cloud SQL instance
oAuth server which also needs Cloud SQL and memcache for tokens etc.
So my questions: Do I need three Cloud SQL project, which all have their own replica? Or is it ok to have one Cloud SQL project and all three App Engine projects access this Cloud SQL instance through the Cloud SQL proxy?
All projects will be located in the us-central region.
Would love to hear some thoughts.
Thanks!
I’m adding this information as a formal answer for the community. All credit goes to Dan Cornilescu.
You do not need to create 3 different projects. You can have 3 Google App Engine services running and a single Cloud SQL instance in the same project. That seems to be the best option for your situation. Using multiple services within a single project has its advantages one of them being increased performance.
Note that you could also have multiple Cloud SQL instances running in the same project. You can follow this document that talks more about creating a Cloud SQL instance:
Creating Instances
In case you need more information about Google App Engine services, this is a good resource:
Microservices Architecture on Google App Engine
I have set up 2 projects in my Google Cloud console. The following are the two projects that I have set up in my console.
1. Cloud SQL + App Engine
2. App Engine (New)
So the idea is App Engine (1) is running the same database as App Engine (2). I have already set up the IAM Permission Page and IAM Admin and Project Page.
I have given both projects as Project Editor role too, but still my (2) still can't connect to my (1) database.
Any help please?
Granting access to an application does not automatically enable a database user account to connect to the instance.
You may connect through a proxy, in which case you should follow these steps:
Enable the API
Install the proxy client on your local machine
Determine how you will authenticate the proxy
If required by your authentication method, create a service account
Determine how you will specify your instances for the proxy
Start the proxy
Update your application to connect to Cloud SQL using the proxy
You can find related details on the Connecting to Cloud SQL from External Applications.
This documents provides steps that cover configuring access for IP connections as well.
If you connect from within the app engine environment, you may have a look at Connecting from App Engine.
I'm trying to enable and create a Google Cloud SQL instance per: https://developers.google.com/cloud-sql/docs/before_you_begin#enroll
However, the "Cloud SQL" menu item does not appear when I open my project in Google Cloud Console as referenced in step #3.
I noticed that if I navigate to Cloud Development -> Push-to-deploy I get the error message: "Push-to-deploy is not available for this project because it is a legacy project."
How can I get Cloud SQL working with my project?
Cloud SQL Instances are not restricted to work only with AppEngine apps in the same project. You can just create a new project at https://cloud.google.com/console (which will have Cloud SQL enabled), and from that project create a new Cloud SQL Database. Just make sure you replace the default authorized AppEngine project with the old one on the Create screen.