I would like to use the application identifier access control method for allowing my app engine service connect to a Cloud SQL database. The app engine service is written using dart with sqljocky.
In the Developers Console, Storage, Cloud SQL, db instance, Overview tab, there is a link titled "How to connect to your Cloud SQL instance". There, I only see sample code for doing this in PHP, Java and Python. I've tried to find an analogous implementation for dart with no luck.
Can anyone suggest an approach for doing this?
Related
I am building a backend for an application with Google App Engine and Cloud SQL.
I do have:
A webserver as a proxy in front of my API server which handles sessions (using Cloud SQL and memcache) and calls the API
An API server which has access to the resource in the Cloud SQL instance
oAuth server which also needs Cloud SQL and memcache for tokens etc.
So my questions: Do I need three Cloud SQL project, which all have their own replica? Or is it ok to have one Cloud SQL project and all three App Engine projects access this Cloud SQL instance through the Cloud SQL proxy?
All projects will be located in the us-central region.
Would love to hear some thoughts.
Thanks!
I’m adding this information as a formal answer for the community. All credit goes to Dan Cornilescu.
You do not need to create 3 different projects. You can have 3 Google App Engine services running and a single Cloud SQL instance in the same project. That seems to be the best option for your situation. Using multiple services within a single project has its advantages one of them being increased performance.
Note that you could also have multiple Cloud SQL instances running in the same project. You can follow this document that talks more about creating a Cloud SQL instance:
Creating Instances
In case you need more information about Google App Engine services, this is a good resource:
Microservices Architecture on Google App Engine
Google App Engine seems to automatically tunnel its connections to Cloud SQL 2nd generation internally through Cloud SQL Proxy. This was discovered inadvertently while trying to sort out how to use TLS, unsuccessfully: "TLS requested but server does not support TLS" error with Google Cloud SQL (2nd generation) from Google App Engine?
I noticed that this works without allowing unsecured access globally to the Cloud SQL instance... which is nice. However, we can only filter the accepted hostname for connections to cloudsqlproxy~% and not to localhost, and this allows virtually any "cloudsqlproxy" host to connect with the right credentials.
Is this safe and correct to do, and better than using %... which would obviously bypass any sort of host filtering? Or, does this open any cloudsqlproxy's possible connection to our 2nd generation instance?
The goal is to restrict connections on a particular user account on the SQL instance to ONLY come from our App Engine project. Nothing else should be able to connect with these credentials.
Good question, you are right that using cloudsqlproxy-% is the strictest filtering you can apply for App Engine connections right now and unfortunately that means you cannot effectively say "allow connections from App Engine but not from Cloud SQL Proxy".
It's hard to come up with a solution that maintains the consistency between App Engine Standard and App Engine Flexible since App Engine Flex VMs live in the customer project. It could be somewhat confusing if the restriction only applied to App Engine Standard, but not App Engine flex.
You can somewhat limit the exposure by limiting who can use the Cloud SQL Proxy by limiting the Editors (and owners) of a project as the account connecting using Cloud SQL Proxy must have Editor access or above. In the future, this will become more fine grained with IAM support.
I'm running into an issue in re-using my connection string (resolved here ... Cannot connect to Google Cloud SQL using SSL + Golang from Google App Engine ...) from connecting to a Google Cloud SQL generation one instance while trying to connect to a generation two instance. I'm receiving this error: TLS requested but server does not support TLS
I can't figure out how to get around this, and the documentation is pretty scarce.
I caught the fact that Instance connection name follows a different structure on generation two, but that doesn't seem like the issue. Has anyone solved this? I'm connecting from Golang.
MySQL level SSL is not currently supported between App Engine Standard Environment and Cloud SQL Second Generation instances.
Communication between App Engine Standard Environment and Cloud SQL is already encrypted so using MySQL level SSL does not add a lot of value, though I can understand that doing application level SSL can add some peace of mind since what happens between Cloud SQL and App Engine is opaque.
I'll try to see if this is something we can change.
Somebody knows if is it possible connect an application from Appengine to a mysql database hosted in compute engine?
I'm trying to do this with python and i have this error:
Can't create TCP/IP socket (-1)
I'm using SqlAlchemy ORM which use the next configuration:
create_engine('mysql+mysqldb://root#ip/database')
and locally works but when i deploy the application to appengine doesn't work.
Thanks
Google App Engine, by default, runs code in a sandboxed environment, meaning that certain aspects of the Python runtime environment are restricted, or respond differently than they would otherwise. One of these aspects is outbound network connectivity—while GAE supports sockets, there are certain restrictions, and sockets are only available for paid apps.
The recommended options for storing information in a GAE app include the App Engine Datastore, Google Cloud SQL, and Google Cloud Storage. Google Cloud SQL is MySQL, and works with SQLAlchemy, so that's probably your best option.
If you absolutely need to run your own MySQL server (rather than using Google Cloud SQL) and connect to it from a GAE app, the other option is to use the managed VM environment, which permits unrestricted network access (since it's essentially a Google Compute Engine VM with the App Engine runtime on top).
I am unable to connect to Cloud SQL from Google App Engine. I am not sure what the problem is but I came across a note from an instruction stating this is a performance Cloud SQL in alpha stage and connection from Google App Engine are not excepted. Is this the problem I am unable to connect to Cloud SQL? Can anyone explain me the the note? The screenshot of the note is below
Connecting from App Engine is not yet supported for Second Generation instances. You will need to create a First Generation instance if you must connect from App Engine.