Cloud Run: Connecting to Cloud SQL instances - mysql

I am unable to connect to a Cloud SQL instance when running an image on Cloud Run. Is this feature working yet?
I have successfully connected to the same SQL instance with Compute Engine.
Tried to connect to the Cloud SQL instance using a simple shell command:
mysql --host=$MYSQL_IP --user=$MYSQL_ROOT --password=$MYSQL_PASS -e "SHOW DATABASES"
Result is logged as such:
ERROR 2003 (HY000): Can't connect to MySQL server on '.*..'
(110)

This question was asked several months before Cloud Run reached GA (General Availability).
Cloud Run (fully-managed) now supports connecting to Cloud SQL instances (both MySQL and PostgreSQL) using the public IP address of the database.
gcloud run services update run-mysql \
--add-cloudsql-instances [INSTANCE_CONNECTION_NAME] \
--set-env-vars CLOUD_SQL_CONNECTION_NAME=[INSTANCE_CONNECTION_NAME],\
DB_NAME=[MY_DB],DB_USER=[MY_DB_USER],DB_PASS=[MY_DB_PASS]
...where INSTANCE_CONNECTION_NAME is of the form PROJECT_ID:REGION:INSTANCE_ID (as returned by gcloud sql instances describe <INSTANCE-ID> | grep connectionName or available in the Overview section of the Cloud SQL instance in Cloud Console).
Note that the service account used by Cloud Run to authorize your connections to Cloud SQL must have the correct IAM permissions which is will require some configuration if the DB instance and the Cloud Run services are not part of the same project.
The above takes care of connectivity between Cloud Run and Cloud SQL.
Having your application actually talk to the Cloud SQL instance requires connecting from your Cloud Run service using the Unix domain socket located at /cloudsql/INSTANCE_CONNECTION_NAME (these connections are automatically encrypted btw).
Different languages and different database drivers will use different ways to connect to the Cloud SQL instance. This link has more details.
See also How to securely connect to Cloud SQL from Cloud Run?

Related

Google Cloud - Cant connect to MySQL cloud sql instance from GKE using internal IP

I am trying to migrate to use private IP:s for all our Cloud SQL instances. I have gotten it working for postgres, and am now trying to get access for our wordpress instances using MySQL.
The problem is I cant get the connection working from the running pods in our GKE cluster.
root#******:/var/www/app# mysql --host=10.**.**.* -u *_se -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '10.*.*.*' (110 "Connection timed out")
I have activated the private IP on the Cloud SQL instance, and added a private service connection to the VPC-network that is the same network that our cluster uses, but still cant connect in the same way as I did with postgres.
Does anyone know anything I could try to get this working?
There are specific network requirements Cloud SQL instances must
adhere to when communicating via a private connection. One of which
is that your Cloud SQL and GKE instances are located in the same
region and VPC network. Check this to configure private IP for MySQL.
The GKE cluster must be VPC-native and peered with the same VPC
network as the Cloud SQL instance. To connect MySQL from GKE, refer
to this Google documentation.
Note: If you are using shared VPC networks, you cannot assign a
private IP address in a shared VPC network to an existing Cloud SQL
instance. Also, VPC Network Peering uses private services access.
However, you do not create the VPC Network Peering explicitly, because
the peering is internal to Google Cloud.
Some possible causes of mentioned error are as follows:
Network failure especially if MySQL database server is running on a remote host.
No MYSQL server is running on the mentioned host.
Firewall blocking TCP-IP connection or other related reasons.
I would suggest you check the firewall setting and check if your MySQL server is listening on default port 3306. Also try to connect MySQL server on IP for which MySQL server is bound in 'my.cnf’. If it not so, run the following command to bind address if you are using Ubuntu:
1. Run the command vim /etc/mysql/my.cnf or vim /etc/mysql/mysqld.conf/mysqld.cnf
2. Comment bind-address = <Server IP> using the # symbol
3. Restart your MYSQL server once.

failure to connect to Google SQL First gen (and Second gen?)

I am receiving an error when trying to load up my webpage
Failed to connect to MySQL: (2005) Unknown MySQL server host ':/cloudsql/testsite:europe-west1:testdatabase' (2)Error:
I have a Google Compute Engine VM set up with a LAMP stack (Apache/2.4.10 (Debian)/ Database client version: libmysql - 5.5.55 / PHP extension: mysqli)
I also have set up an instance on Google SQL with user credentials for aforementioned VM (i have set up both First Gen and Second Gen)
I can access both a local MySQL database on the VM as well as the Google SQL databases via phpAdmin installed locally
HOWEVER i appear to have an issue with the DB_HOST credentials in my config.php file when i run the script
path = /var/www/html/includes/config.php
I get
usually for local MYSQL databases i use
// The MySQL credentials
$CONF['host'] = 'localhost';
$CONF['user'] = 'YOURDBUSER';
$CONF['pass'] = 'YOURDBPASS';
$CONF['name'] = 'YOURDBNAME';
Documentation (and github links) recommend path
:/cloudsql/project-id:region:sql-db-instance-name
which is what i have done (see above) - but i keep getting the error message.
Am i typing the host description incorrectly? Or have i missed a configuration step?
Thanks in advance
It seems as if i have erred and that the credentials format i stated earlier are for Google App Engine
If you are on Google Compute Engine, you have two options:
Connect to the public IP address of your Cloud SQL instance. This requires you whitelist your GCE instance on the ACL for the Cloud SQL instance.
Use the Cloud SQL proxy. This is a extra daemon you run on your GCE instance that allows you to connect via TCP on localhost or a socket.

Connecting Google Cloud Compute to Google Cloud SQL ERROR 2013 (HY000)

When trying to connect to mysql using the docker cloud proxy like so:
mysql -u <USERNAME> -p -S /cloudsql/<YOUR-PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>
I received this error
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 95
According to the documentation, this is how I'm suppose to setup the proxy
docker run -d -v /cloudsql:/cloudsql \
-v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
b.gcr.io/cloudsql-docker/gce-proxy /cloud_sql_proxy -dir=/cloudsql \
-instances=<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>
Here is the documentation for setting it up.
For those who may ask this question, I did set up these params properly
<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>
The output from the proxy:
2016/03/20 19:49:15 listenInstance: "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:49:15 Remove("/cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>") error: remove /cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>: no such file or directory
2016/03/20 19:49:15 Open socket for "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>" at "/cloudsql/<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:49:15 Socket prefix: /cloudsql
2016/03/20 19:51:29 Got a connection for "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>"
2016/03/20 19:51:30 couldn't connect to "<PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>": googleapi: Error 403: Insufficient Permission, insufficientPermissions
And so I looked at my compute instance and my Api access scopes for cloud sql is disabled and I had checked the prerequisites before and they say that if I'm creating my cloud sql and compute instances in the same project then I my compute should have editor permissions. Either way, I can't figure out how to give my compute instance editor privileges for my cloud sql instance.
Please let me know how I can give my compute instance editor privileges for cloud sql.
insufficientPermissions indicates that the Compute Engine VM is using the default Compute Engine service account and the Cloud SQL Admin scope was not enabled when the VM was created. In the first step of the guide, you are asked to verify whether the right scopes are present.
There are two options to fix this:
Option a) Create a new VM with the Cloud SQL Admin scope enabled.
When creating a new VM, select Set access for each API in the Identity and API access and switch Cloud SQL to Enabled.
If you are using Instance Templates, make the change described above on the instance template and use it to create the new instance(s).
Alternatively, you may select Allow full access to all Cloud APIs but be aware that this will allow any application on the VM to access any of the Cloud APIs using the service account credentials, which has editor privileges on the project by default.
Option b) Use credentials for a different service account
If creating a new VM is not an option, you can create a new service account, download the credentials file to the VM and use the -credential_file parameter to make the proxy use it. The new service account must be granted at least editor access to the project.
There's an open issue to provide a better error message:
https://github.com/GoogleCloudPlatform/cloudsql-proxy/issues/6

How to connect Google Cloud SQL by SSL with database url?

Now I want to deploy a rails app to Google Container Engine. And use Google Cloud SQL as database.
When I tried to connect Google Cloud SQL from Google Container Engine, I got this error:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0
Here is a document to solve that, but there is no information about Google Container Engine:
https://cloud.google.com/sql/docs/diagnose-issues#connection
The Google Cloud SQL access SSL connect for dynamically assigned IP addresses:
https://cloud.google.com/sql/docs/access-control#dynamicIP
So I need to create a client certificate for mysql instance:
https://cloud.google.com/sql/docs/configure-ssl-instance
Then connect it this way:
shell> mysql --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem \
--host=instance-IP --user=user-name --password
https://cloud.google.com/sql/docs/mysql-client#connect
But I want to connect Google Cloud SQL by mysql database url from my program on Google Container Engine:
mysql2://myapp:password#1.2.3.4/myapp?checkout_timeout=20000
How to attach --ssl-ca, --ssl-cert, --ssl-key with this method?
Google Cloud SQL is no different from any other MySQL server in this regard. You append the SSL information as parameters to the query section of the URL. In your example it would be:
mysql2://myapp:password#1.2.3.4/myapp?checkout_timeout=20000&sslca=server-ca.pem&sslcert=client-cert.pem&sslkey=client-key.pem

Unable to connect to Google Cloud SQL instance using a client mysql CL tool

I am having trouble making the initial connection to my freshly created cloud sql instance.
I followed the steps outlined here: https://developers.google.com/cloud-sql/, which includes getting an IP, whitelisting my IP, and setting a root password.
However, when I try to connect using the mySQL command line tool, I get this error message:
mysql --host=xxx.xxx.xx.xxx --user=root --password
ERROR 2003 (HY000): Can't connect to MySQL server on 'xxx.xxx.xx.xxx' (10060)
I have a feeling that struggling at such a basic step implies my issue is specific only to me (calling for google cloud sql support folks).
I had the same issue, after a few minutes I got it going..
Make your GCE service has cloud SQL enabled (during instantiation)
Have a static ip for your GCE instance (you can use cloud console even while instance is running), and configure cloud SQL to accept this ip
set a root password for the cloud SQL
then your command is
mysql --host= --user=root --password=
My issue turned out to be related to the ISP (comcast) blocking outbound requests on port 3306. After setting up port forwarding, I'm able to connect directly from my pc to cloud sql WITHOUT using a GCE instance.
If others encounter this issue, I would recommend checking whether the port 3306 is available first (firebind, portquiz, etc).