Is there any gcloud command in GCP to list GCP SQL instance iam service-accounts. I am able to see in the GCP UI but I need cli command to print it the terminal. Could some one help me on this.
There is no such gcloud command to get only the service account of a sql instance, if you want to get the account of an specific instance you can run this in cloud shell or voa Cloud SDK gcloud sql instances describe instanceName | grep "serviceAccountEmailAddress" the output will be just then one of the service account.
Related
Is there a way to query some ENV variables from the terminal of the Compute VM itself for the service account used by that VM?
This is what I'm looking for but for the Service Account attached to the VM: https://cloud.google.com/shell/docs/how-cloud-shell-works#zone_selection
The details on the service accounts assigned to the Compute Engine instance are available from the Metadata Server. This information can be accessed using the CLI curl from inside the VM.
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts" -H "Metadata-Flavor: Google"
Note there is a similar post here but not fixing my issue:
I had wamp server which comes with mysql server, the path is there. I installed SDK, able to connect to it:
C:\Program Files (x86)\Google\Cloud SDK>gcloud beta sql connect welynxmysql --user=root
However in Cloud Shell, it throws out an error complaining below:
You need the [cloud_sql_proxy] component to use the sql connect
command. ERROR: (gcloud.beta.sql.connect) The cloud_sql_proxy
component(s) is unavailable through the packaging system you are
currently using. Please consider using a separate installation of the
Cloud SDK created through the default mechanism described at:
https://cloud.google.com/sdk/
What am I missing here? How can I connect to mysql instance/database in Cloud Shell?
Thank you very much.
What am I missing here? How can I connect to mysql instance/database in Cloud Shell?
If you are not able to connect to your Cloud SQL instance, you could try to either follow:
Quickstart for Cloud SQL for MySQL
Quickstart for using the proxy for local testing
You could also try to reset your Cloud Shell (note: this will delete all your files within Cloud Shell) as stated here:
Important: This will permanently delete all files in your home directory.
Then, you could try to do a fresh installation of the Google Cloud's SDK.
If none of those works for you, you could try to authorize your account again within the Cloud Shell as follows:
Before beginning, make sure that your Cloud Shell is using your project. If you are not sure you could also run this command to set your project:
gcloud config set project [PROJECT_ID]
Where PROJECT_ID is the project ID where the Cloud SQL instance is located. Then:
Go to your Cloud Shell and run this command (please notice the sudo at
the beginning):
sudo gcloud auth login
Click on the link displayed on the Cloud Shell and log in with your
Google account.
Copy the code displayed on your screen.
Switch to the Cloud Shell, paste it there and hit enter.
You can now run the command as follows:
gcloud beta sql connect [YOUR_INSTANCE_NAME]
or:
gcloud sql connect [YOUR_INSTANCE_NAME]
Where YOUR_INSTANCE_NAME is the name of your Cloud SQL instance.
I hope it helps.
I usually SSH into a Google Cloud Compute Engine Instance using my local terminal like:
ssh -i ~/.ssh/[KEY_FILENAME [USERNAME]#ip_address
where the [KEY_FILENAME] is generated using
ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
There is also another way to connect to the instance which is through the browser, however I would connect to the instance with a different user account. Is there a way that I can make it consistent regardless of the method I use to connect?
There are several ways to connect a Linux instance via the SSH. The way you are connecting to an instance is via the terminal. You can connect via the Cloud Console Web UI which is in general the most convenient way to connect to an instance. Also, you can use Google Cloud SDK and run below command to connect to an instance via SSH:
gcloud compute ssh [INSTANCE_NAME]
You can also use Cloud Shell to connect your instance from the Cloud Console web UI by using the same command as above. You can connect via the serial console using the Google Cloud Platform Console, the gcloud command-line tool, or a third-party SSH client. The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata, and store your private key on the local machine from which you want to connect. There are other advanced methods to connect to an instance which you can find at this link.
By default, the gcloud compute command-line tool uses the $USER variable to add users to the /etc/passwd file for connecting to virtual machine instances using SSH. You can specify a different user using the --ssh-key-file PRIVATE_KEY_FILE flag when running the gcloud compute ssh command. Depending on your use case and convenience, you can use any method consistently.
I would like to know whether it is possible to attached a service account created in my-project-a to a Google Compute Engine instance in say my-project-b?
The following command:
gcloud beta compute instances create my-instance \
--service-account=my-service-account#my-project-a.iam.gserviceaccount.com \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--project=my-project-b
gives me the following error:
(gcloud.beta.compute.instances.create) Could not fetch resource:
- The user does not have access to service account 'my-service-account#my-project-a.iam.gserviceaccount.com'. User: 'me#mysite.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account. me#mysite.com is my account and I'm the owner of the org.
Not sure whether this is related, but looking at the UI (in my-project-b) there is no option to add a service account from any other projects. I was hoping to be able to add the account my-service-account#my-project-a.iam.gserviceaccount.com
You could follow these steps to authenticate a service account from my-project-a to an instance in my-project-b:
Create a service account in my-project-a with the proper role for compute engine
Download the JSON file.
Copy the my-project-a new service account email
On my-project-b, add a team member by using the copied email from the previous step
Connect via SSH to your instance in my-project-b
Copy the JSON file from the step 2 on your my-project-b instance
Run the following command to activate the service account:
gcloud auth activate-service-account --key-file=YOUR_JSON_FILE
Verify by using the following command:
gcloud auth list
MacBook-Air-2:~ Owner$ gcloud sql instances describe ahaha-mysql
ERROR: (gcloud.sql.instances.describe) There was no instance found at projects/ahaha-20180621/instances/ahaha-mysql or you are not authorized to access it.
You will need to enable permission for the compute instance to access the cloud sql
Stop the instance
Edit the instance and change the Cloud API access scopes
Enable Cloud SQL
Restart the instance
run gcloud auth login and authenticate as yourself by following the link (you might need to fix it in a text editor) and entering the verification code.
run gcloud sql instances describe ahaha-mysql this should now work