I'm trying to run Google Cloud SQL proxy locally like this:
$ ./cloud_sql_proxy -instances project-name:region-name:instance-id tcp:3306
But it's returning
google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for mor information.
My Google Cloud SDK is already installed and logged in to Google.
How do I fix this?
On
Google application default credentials are managed separately from gcloud credentials.
Use
gcloud auth application-default login
instead to setup your user credentials as application default. See reference for more info.
Previously gcloud auth login did this, but with more recent Cloud SDK versions this is no longer the case.
Note that switching gcloud configuration or setting account will not update application default credentials. Only commands in gcloud auth application-default can be used to manage these.
Also to use service account as application default credential you can use it directly by downloading its json key from developer console.
On
In this scenario using cloud_sql_proxy, the approach is to use GCP-GSA (service accounts), download cloud sql proxy :
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
create a proxy user :
gcloud iam service-accounts create proxy-user --display-name "proxy-user"
gcloud iam service-accounts list
[SERVICE_ACCOUNT_EMAIL] is the email on sql instance details .
gcloud projects add-iam-policy-binding [PROJECT_ID] --member \
serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudsql.client
gcloud iam service-accounts keys create key.json --iam-account [SERVICE_ACCOUNT_EMAIL]
gcloud sql instances describe [INSTANCE_ID] | grep connectionName
CREATE A KEY JSON FILE FOR THE KUBE ENGINE
./cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306 -credential_file=key.json &
kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=key.json
Your deployment :
apiVersion: apps/v1
kind: Deployment
metadata:
name: <DEPLOYMENT-NAME>
spec:
selector:
matchLabels:
app: <APPLICATION-NAME>
template:
metadata:
labels:
app: <APPLICATION-NAME>
spec:
serviceAccountName: <KSA-NAME>
containers:
- name: cloud-sql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- "/cloud_sql_proxy"
- "-instances=<INSTANCE_CONNECTION_NAME>=tcp:<DB_PORT>"
securityContext:
runAsNonRoot: true
Instead of running gcloud auth application-default login you need to expose the location of your service account json file using the variable $GOOGLE_APPLICATION_CREDENTIALS
e.g. echo "export GOOGLE_APPLICATION_CREDENTIALS=${TF_VAR_gcp_service_account_file_loc}" >> $BASH_ENV (if you need to move env vars between steps/jobs). $BASH_ENV is a special property exposed by CircleCI, if you use a different CI/CD tool you will need to find the location of the bash profile.
or simply export GOOGLE_APPLICATION_CREDENTIALS=[path-to-service-account-json-file] for use within the same step
Two problems may be generating your problem.
To find what is login, using:
1. You haven't application default credentials
If you have a recent version of gcloud you will get:
To make your local application use your credentials you need to do (ref):
If you don't see this warning consider updating gcloud, with:
2. You haven't defined your project
After login, you should see:
Once again two solutions:
a. Associate a project
If you are not seeing this, do (ref):
b. Use global
--projectflag in the callIn your command associate a project: