Search code examples
dockerkubernetesgoogle-cloud-platformgoogle-cloud-sql

Failed to update metadata for Cloud SQL instance. :Request had insufficient authentication scopes


I am following this tutorial: Connect to Cloud SQL for MySQL from Google Kubernetes Engine. I have created a cluster. I have created a docker image in the repository. I have created a database. I am able to run my application outside of Kubernetes and it connects to the database. But after deploying application, pods are not in a valid state and I see in the logs of the pod error:

Caused by: java.lang.RuntimeException: [quizdev:us-central1:my-instance] Failed to update metadata for Cloud SQL instance.
       ...[na:na] 
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/quizdev/instances/my-instance/connectSettings
{
  "code": 403,
  "details": [
    {
      "@type": "type.googleapis.com/google.rpc.ErrorInfo",
      "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
      "domain": "googleapis.com",
      "metadata": {
        "service": "sqladmin.googleapis.com",
        "method": "google.cloud.sql.v1beta4.SqlConnectService.GetConnectSettings"
      }
    }
  ],
  "errors": [
    {
      "domain": "global",
      "message": "Insufficient Permission",
      "reason": "insufficientPermissions"
       }
  ],
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED"
}
        at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146) ~[google-api-client-2.2.0.jar:2.2.0]
        ... 

2023-06-14T06:57:49.508Z  WARN 1 --- [           main] o.h.e.j.e.i.JdbcEnvironmentInitiator     : HHH000342: Could not obtain connection to query metadata

What could be the issue? What can I check to diagnose the problem?

Edit

I have created the cluster using this command:

  gcloud container clusters create questy-java-cluster \
  --num-nodes 2 \
  --machine-type n1-standard-1 \
  --zone us-central1-c

Solution

  • I'm pretty sure that you create a cluster by default. If you did that, you used the Compute Engine default parameter that you can see here

    enter image description here

    Default service account and access scope. If you did that, it's normal you have no access: the minimal scope does not allow the Cloud SQL access.


    To solve that, you have to select either a user managed service account (the best solution) or still use the default service account but allow full scopes access.

    2 solutions to enforce that:

    • Either delete and recreate correctly your cluster
    • Or, you can create another node pool with the correct parameters.