Getting strange googleapi Err 400 message connecting to postgresql CloudSQL instance

googleapi: error 403: the client is not authorized to make this request., notauthorized
cloud sql proxy
error: (gcloud sql connect httperror 400: the incoming request contained invalid data)
python connect to cloud sql
cloud sql proxy access denied
cloud sql proxy postgres
failed to create ephemeral certificate for the cloud sql instance
the cloud sql instance does not exist

I´m getting a strange Err 400 missing project parameter when trying to connect to a CloudSQL instance using the cloud_sql_proxy mechanism

I have a GCE project with a working CloudSQL postgres database, my apps on the compute api can use it and I can do regular psql from any of the VM I have configured inside my GCE project.

However, when I try to connect to the database from my laptop using the cloud_sql_proxy I get this strange error.

I´m following to the letter this documentation: https://cloud.google.com/sql/docs/postgres/connect-admin-proxy#install

So, following that documentation I have:

  1. CloudSQL enabled and working as I commented
  2. Proxy Installed
  3. I have a service account created as the documentation say with Cloud SQL Admin role as follows:
{
  "type": "service_account",
  "project_id": "my-proyect-21432",
  "private_key_id": "<hidden intentionally>",
  "private_key": "<hidden intentionally>",
  "client_email": "cloudsql-serviceaccount@my-proyect-21432.iam.gserviceaccount.com",
  "client_id": "<hidden intentionally>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudsql-serviceaccount@my-proyect-21432.iam.gserviceaccount.com"
}
  1. I started the cloud_sql_proxy successfully as follows:
user@hostname:~$ ./cloud_sql_proxy -instances=db1=tcp:15432 -credential_file=my-proyect-21432.json
2019/05/29 10:17:25 Rlimits for file descriptors set to {&{8500 65536}}
2019/05/29 10:17:25 using credential file for authentication; email=cloudsql-serviceaccount@my-proyect-21432.iam.gserviceaccount.com
2019/05/29 10:17:25 Listening on 127.0.0.1:15432 for db1
2019/05/29 10:17:25 Ready for new connections
  1. And finally I launch the psql client as follows:
psql "host=127.0.0.1 port=15432 sslmode=disable dbname=db1 user=dbuser"

I see on the cloud_sql_proxy the following error:

2019/05/29 10:17:33 New connection for "db1"
2019/05/29 10:17:34 couldn't connect to "db1": googleapi: Error 400: Missing parameter: project., required

And on the client side I'm getting:

psql: server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.

At this point I should get my psql client connected successfully and I can´t find anything about this error online or in the google's documentation

I have no clue where I need to set a project parameter, I tried crazy places like on the psql side with -v or using the url with ? at the end with no luck, I also tried on the cloud_sql_proxy side using the -projects flag, also with no luck.


EDIT: New findings!!!

I think I'm close to solve this, the first setup I did (as commented above) was on my windows pc that I use at home, today I'm at the office and I decided to replicate all of that using macos, I don't think that the OS matter at all, the interesting thing is that I replicated all and founded a small thing that make me to move forward

So, I started again and execute points 1., 2., 3., 4. and wait? the documentation states that the instances string is as follows: myproject:us-central1:myinstance NOT what I originally wrote, so I changed that and start having a more reasonable error:

I started cloud_sql_proxy make the connection with psql and got this:

user@hostname:~$ ./cloud_sql_proxy -instances=my-proyect-21432:us-east1:db1=tcp:15432 -credential_file=my-proyect-21432.json
2019/05/30 14:13:25 Rlimits for file descriptors set to {&{8500 65536}}
2019/05/30 14:13:25 using credential file for authentication; email=cloudsql-serviceaccount@my-proyect-21432.iam.gserviceaccount.com
2019/05/30 14:13:25 Listening on 127.0.0.1:15432 for db1
2019/05/30 14:13:25 Ready for new connections

<< when I run psql>>

2019/05/30 14:14:08 New connection for "my-proyect-21432:us-east1:db1"
2019/05/30 14:15:24 couldn't connect to "my-proyect-21432:us-east1:db1": dial tcp 10.26.112.3:3307: connect: operation timed out

My db1 instance has only the private IP 10.26.112.3

I started to look for that error around the internet and found a sugestion to allow incoming traffic to 3307 port:

Cannot Connect by Cloud SQL Proxy from Cloud Shell By Proxy https://github.com/GoogleCloudPlatform/cloudsql-proxy/issues/164

So I added the following rule:

allow-cloudsqlproxy | Ingress | Apply to all | IP Ranges 0.0.0.0/0 | tcp,udp 3307 | allow | default | 1000

But that didn't make any difference because after that I'm still getting the same error message :(


EDIT: from a VM on the same project

I created a VM on that project and replicate all this, I was able to connect, no connection refused on port 3307 message.

I have no idea who is blocking that traffic...

Thank you for keeping us updated with your findings. I encountered the same problem. I just solved it—your first edit tipped me off.

While following the google CloudSQL documentation process for connecting to CloudSQL from an external application, I started the proxy like this:

`./cloud_sql_proxy -instances=<instance_name>=tcp:5433`

It didn't let me connect. I was receiving this error

`couldn't connect to "xxxxxxx": googleapi: Error 400: Missing parameter: project., required`

After reading your edit I modified the command to use the entire instance name as stated on the instance details page, and it worked. This is the new command that got it working.

`./cloud_sql_proxy -instances=myproject:us-central1:instancename=tcp:5433`

I hope this saves someone a few hours.

Getting strange googleapi Err 400 message connecting to , Getting strange googleapi Err 400 message connecting to postgresql when trying to connect to a CloudSQL instance using the cloud_sql_proxy mechanism. I have a GCE project with a working CloudSQL postgres database, my apps on from my laptop using the cloud_sql_proxy I get this strange error. 3 Getting strange googleapi Err 400 message connecting to postgresql CloudSQL instance Jun 22 '19 2 Sequelize Join on Non Primary Key Feb 16 2 Subdomain Integration Testing With Nodejs and Supertest Dec 31 '18

Actually cloudsql-proxy does work when your Cloud SQL instance has only an internal IP address. In this scenario you use private services access to establish the connection between the cloudsql-proxy and the Cloud SQL instance. It is also recommended to execute the proxy using the option --ip_address_types=PRIVATE to force it to use the internal IP instead the public when connecting to the Cloud SQL instance.

Look here and here for more details.

I hope this helps.

GoogleCloudPlatform/cloudsql-proxy, I'm getting an odd failure from following these instructions: Error during createEphemeral for project:region:cloudsql-instance: googleapi: Error Some clarification: 'Cloud SQL Client' is the right role to use for Proxy access. @ Laixer @Carrotman42 Cloud SQL Client still gives us the same error message as of today. If you are connecting to a PostgreSQL instance, your App Engine application does not need to be in the same region. However, a larger distance between your Cloud SQL instance and your App Engine application causes greater latency for connections to the database.

Ok, apparently the cloud_sql_proxy does not work if your db instance only has a private ip address, I had to add a public one so the proxy server had access to my instance.

I understand certain limitations but if Google provides a cloud_sql_proxy it should support all customer cases, I mean, I´m using the default network, that network is managed by google, the network should allow somehow the Proxy Server to reach my db instances.. I don't know ...

The second I added the public IP the second it started working ... but I honestly don't want a public IP on my db instances.

Diagnosing issues with Cloud SQL instances, Contact Sales Get started for free If you see errors containing " Aborted connection nnnn to db: ", it usually indicates that your gcloud compute networks peerings update cloudsql-[mysql/postgres]-googleapis-com --network= NETWORK You see the error message ERROR: (gcloud.sql.instances.delete) HTTP Error 409:� Teams. Q&A for Work. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information.

However trivial it may sound, for me an update from gcr.io/cloudsql-docker/gce-proxy:1.05 to gcr.io/cloudsql-docker/gce-proxy:latest* of the CloudSQL proxy image in Kubernetes deployment file resolved the problem.

Bearing in mind the final comments of the question author, I believe it may be a bug of CloudSQL that requires you to trigger something that will completely restart its instance. This is just speculation though.


* I tried this on version 1.16. If you are unsure about the stability of futures releases, you can specify the version instead of the latest tag.

Cloud SQL for PostgreSQL error messages, Your see the error message HTTP Error 400 Bad Request . You see the error message ERROR: (gcloud.sql.instances.delete) HTTP Error 409: The instance or � The new DB instance appears in the list of DB instances on the RDS console. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to a database on the DB instance. Feel free to move on to the next step as you wait for the DB instance to become

Google Cloud SQL Incident #18002, There is a message in the console: We are experiencing an issue with Cloud SQL v1 instance availability in There is an error log but in the log is not clear if it is caused by this issue: HttpError accessing <https://servicecontrol. googleapis.com/v1/ Can I do something to get it working? This is strange. If you are having trouble connecting using an IP address, for example, you are connecting from your on-premises environment with the mysql client, then make sure that the IP address you are connecting from is authorized to connect to the Cloud SQL instance.

Hands On Google Cloud SQL and Cloud Spanner, Getting Started with Cloud SQL . Connect to the Spanner Instance . Cloud SQL is Google's fully managed relational database service with two choices of database engine—MySQL and PostgreSQL. • Cloud Spanner is Ensure to verify you don't see any warnings or error messages before proceeding. To connect to a PostgreSQL DB instance using pgAdmin. Find the endpoint (DNS name) and port number for your DB Instance. Open the RDS console and then choose Databases to display a list of your DB instances. Choose the PostgreSQL DB instance name to display its details. On the Connectivity & security tab, copy the endpoint. Also, note the port

Google: google_sql_database_instance, Creates a new SQL database instance in Google Cloud SQL. To upgrade your First-generation instance, update your Terraform config that the instance has be an apply-time error for instances if the provider region is not supported with Cloud SQL. Required for MS SQL Server, ignored by MySQL and PostgreSQL. Most common SQL features used by web applications, for instance, do not rely on any inter-transaction stateful functionality, but very occasionally a client will use a WITH HOLD cursor, set a global configuration setting, utilize pg_advisory_lock, use dblink, or some other feature that requires session state to be retained to get sensible behavior.

Comments
  • Thank you for for this! For passers by here's a link to the docs cloud.google.com/sql/docs/mysql/sql-proxy#tips
  • The first link says, "To connect to a Cloud SQL instance using private IP, the proxy must be on a resource with access to the same VPC network as the instance." So I guess this means it's impossible to use the proxy to connect to a database instance that has only a private IP from your local machine?
  • I just tried it from another server I have access to (a VPS running on Linode), where I temporarily disabled the firewall. Same issue that I had locally.