无法从其他项目中的Firebase云功能访问云SQL [英] Cannot access cloud SQL from firebase cloud functions in a different project

问题描述

我有两个GCP项目(其中一个是firebase项目)，我正在尝试从另一个项目的firebase云功能访问一个项目上的云SQL实例.

I have two GCP projects(one of them is a firebase project), and I am trying access a cloud SQL instance on one project from the other project's firebase cloud functions.

我已按照此处的说明进行操作: https://cloud.google.com/sql/docs/mysql/connect-功能

I have followed the instructions here: https://cloud.google.com/sql/docs/mysql/connect-functions

在此说明中，

在两个不同项目中连接资源时，请确保这两个项目都启用了正确的IAM角色，并赋予了服务帐户的正确权限.

When connecting resources in two different projects, make sure that both projects have enabled the correct IAM roles and have given the service account the correct permissions.

我不确定我是否正确地执行了这一部分.我要做的是从我的云功能项目中复制服务帐户电子邮件地址，如下所示:"service-YOUR_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com"，然后将其复制到我的其他GCP项目的IAM页面中，它是CloudSQL客户端角色.

and I am not entirely sure if I'm doing this part correct. What I did was to copy the service account email address from my cloud function project that looks like this: "service-YOUR_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com" and copied that into my other GCP project's IAM page and gave it a CloudSQL Client role.

这是我用来访问数据库的代码:

This is the code that I am using to access the database:

import * as functions from "firebase-functions";
import * as mysql from "mysql";

export const sql = functions
  .https.onRequest((request, response) => {
    return new Promise<any>(async (resolve, reject) => {
      const query = "select * from my_table limit 1;";
      const pool: mysql.Pool = mysql.createPool({
        socketPath: functions.config().cloud_sql.socket_path,
        user: functions.config().cloud_sql.user,
        password: functions.config().cloud_sql.password,
        database: functions.config().cloud_sql.database,
        connectionLimit: 5,
        timezone: "+0900"
      });

      pool.query(query, [], (err: mysql.MysqlError | null, results: any) => {
        if (err) {
          console.log(err);
          reject(err);
        } else {
          resolve(results);
        }
      });
    });
  });

访问此功能时，在控制台中出现此错误:

When I access this function, I get this error in the console:

错误:连接ECONNREFUSED

Error: connect ECONNREFUSED

我可能会缺少什么?任何帮助是极大的赞赏.

What could I be missing? Any help is greatly appreciated.

推荐答案

我在发布此问题后不久就解决了这个问题.

I just solved it shortly after I post this question lol.

我给错误的服务帐户提供了IAM角色.而不是将Cloud SQL Client角色添加到"service-YOUR_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com"，官方文档中所述的帐户( https://cloud.google.com/sql/docs/mysql/connect-functions )，则需要将Cloud SQL Client角色添加到App Engine默认服务帐户，该帐户的结尾应为< YOUR_PROJECT_ID> @ appspot.gserviceaccount.com"

I was giving wrong service account the IAM role. Instead of adding Cloud SQL Client role to "service-YOUR_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com" account like it says in the official documentation(https://cloud.google.com/sql/docs/mysql/connect-functions), you need to add Cloud SQL Client role to App Engine default service account, which ends with something like this "<YOUR_PROJECT_ID>@appspot.gserviceaccount.com"

这篇关于无法从其他项目中的Firebase云功能访问云SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！