如何使用服务帐户连接到Cloud SQL实例? [英] How do I connect to a Cloud SQL instance using a service account?
问题描述
这似乎是一个已经回答过的问题,但是我没有其他任何答案,所以我要提出一个新问题.
This seems like a question that's been answered before, but I've no luck with any other answers, so I'm opening a new question.
我正在使用python脚本并创建/配置数据库,并使用cloud_sql_proxy连接到该数据库.如果我不提供cloud_sql_proxy的服务帐户凭据,则该脚本可以很好地运行,但是如果我提供了该脚本,则会得到以下提示:
I'm using a python script and create/configure a database and connect to it using the cloud_sql_proxy. The script runs beautifully if I don't provide a service account credential for cloud_sql_proxy, but if I do then I get this:
2017/08/18 15:34:12 using credential file for authentication; email=test-acc@project.iam.gserviceaccount.com
2017/08/18 15:34:12 Listening on 127.0.0.1:3306 for project:zone:instance
2017/08/18 15:34:12 Ready for new connections
2017/08/18 15:34:12 New connection for "project:zone:instance"
2017/08/18 15:34:13 couldn't connect to "project:zone:instance":
ensure that the account has access to "project:zone:instance"
(and make sure there's no typo in that name).
Error during createEphemeral for project:zone:instance:
googleapi: Error 403: The client is not authorized to make this request., notAuthorized
这不是INSTANCE_CONNECTION_NAME的问题,因为当我在没有服务帐户的情况下进行身份验证时,它可以很好地工作:
It's not an INSTANCE_CONNECTION_NAME issue because it works fine when I authenticate without a service account:
2017/08/18 15:38:32 Listening on 127.0.0.1:3306 for project:zone:instance
2017/08/18 15:38:32 Ready for new connections
2017/08/18 15:38:32 New connection for "project:zone:instance"
Connection established.
我尝试了许多不同类型的服务帐户角色:SQLclient + SQLAdmin,SQLclient + SQLAdmin + ProjectEditor等.
I've tried many different kinds of service account roles: SQLclient + SQLAdmin, SQLclient + SQLAdmin + ProjectEditor, etc etc.
有什么想法吗?我很困惑.
Any ideas? I'm stumped.
推荐答案
我发现了问题.我最初没有此项目的IAM管理员权限.在这里获得管理员权限后,我便可以将服务帐户添加到IAM页面.这解决了这个问题,尽管我仍然收到一个有趣的400错误,抱怨我的JWT签名无效.
I found the problem. I originally didn't have admin access to IAM for this project. After getting admin privileges here, I was able to add the service account to the IAM page. This solved this issue, though I'm still getting an interesting 400 Error complaining that my JWT Signature is invalid.
更新:
我发现我的凭证文件密码是我为同一服务帐户创建的第二个凭证文件(您可以为一个服务帐户创建多个密钥).更新密钥以使用正确的密钥后,我便能够进行部署.
I found that my credential file secret was a second credential file that I made for the same service account (You can make more than one key for a service account). After updating the secret to use the right key I was able to get my deployment to work.
这篇关于如何使用服务帐户连接到Cloud SQL实例?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
