Even though the user (not a service account) already have the Cloud SQL Client roles/cloudsql.client and Cloud SQL Instance User roles/cloudsql.instanceUser, the IAM account is added to the database instance (which is the user email), when using cloud-sql-proxy fails with
FATAL: empty password returned by client
The current command is:
docker run --rm --network=host gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.1 --address 0.0.0.0 --port 5432 --token=$(gcloud auth print-access-token) $(gcloud sql instances describe MY_INSTANCE --format='value(connectionName)')
The log says:
2023/09/15 18:53:56 Authorizing with OAuth2 token
2023/09/15 18:53:57 [MY_ORG:us-central1:MY_INSTANCE] Listening on [::]:5432
2023/09/15 18:53:57 The proxy has started successfully and is ready for new connections!
It connects but gives the FATAL error described before.
What is the correct command for it to work?
The proper way to do this is by providing 2 additional parameters to the docker run arguments:
docker run --rm --network=host gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.1 \
--address 0.0.0.0 \
--port 5432 \
--token=$(gcloud auth print-access-token) \
--login-token=$(gcloud sql generate-login-token) \
--auto-iam-authn \
$(gcloud sql instances describe MY_INSTANCE --format='value(connectionName)')
You can now connect to it without using any password. Just connect to localhost:5432 and you should be able to access.