I am following this tutorial: Connect to Cloud SQL for MySQL from Google Kubernetes Engine. I have created a cluster. I have created a docker image in the repository. I have created a database. I am able to run my application outside of Kubernetes and it connects to the database. But after deploying application, pods are not in a valid state and I see in the logs of the pod error:
Caused by: java.lang.RuntimeException: [quizdev:us-central1:my-instance] Failed to update metadata for Cloud SQL instance.
...[na:na]
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/quizdev/instances/my-instance/connectSettings
{
"code": 403,
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"service": "sqladmin.googleapis.com",
"method": "google.cloud.sql.v1beta4.SqlConnectService.GetConnectSettings"
}
}
],
"errors": [
{
"domain": "global",
"message": "Insufficient Permission",
"reason": "insufficientPermissions"
}
],
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED"
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146) ~[google-api-client-2.2.0.jar:2.2.0]
...
2023-06-14T06:57:49.508Z WARN 1 --- [ main] o.h.e.j.e.i.JdbcEnvironmentInitiator : HHH000342: Could not obtain connection to query metadata
What could be the issue? What can I check to diagnose the problem?
I have created the cluster using this command:
gcloud container clusters create questy-java-cluster \
--num-nodes 2 \
--machine-type n1-standard-1 \
--zone us-central1-c
I'm pretty sure that you create a cluster by default. If you did that, you used the Compute Engine default parameter that you can see here
Default service account and access scope. If you did that, it's normal you have no access: the minimal scope does not allow the Cloud SQL access.
To solve that, you have to select either a user managed service account (the best solution) or still use the default service account but allow full scopes access.
2 solutions to enforce that: