1

I have simple cloudsql instance for MYSQL_5_7 with enable_iam_authentication flag on.

I have added service account or IAM user and want to access the instance using mysql client.

I am using cloudsql auth proxy:

./cloud_sql_proxy -instances=watchful-pier-333707:us-central1:test-002=tcp:3306 --enable_iam_login

Accessing the DB with below command: mysql -u root -p --host 127.0.0.1

Using Built-in user root I am successfully able to access the instance.

When I am trying to access the DB with IAM user/service account using below command, I am getting "Lost connection to MySQL server at 'reading authorization packet', system error: 0".

mysql -u <user_name> -p --host 127.0.0.1 user_name is the one I can see as added user in user's list

Following this documentation - this

Can anyone please help. Thanks in advance!

mayank agarwal
  • 33
  • 6

3 Answers3

1

Automatic IAM AuthN isn't yet available for MySQL. Once it is, we'll update the proxy docs.

enocom
  • 1,496
  • 1
  • 15
  • 22
  • Hi @enocom, thanks for confirming the same. I am now trying to perform manual AuthN with cloudsql proxy. Is there any specific documentation or java example which I can refer. When I am trying to do so I am facing two issues: 1) getting Auth token from Java Client Lib(using only service account without key.json file). 2) While trying tom connect with DB using 127.0.0.1:3306 for cloudsql auth proxy I am getting this error `ava.sql.SQLException: SSL connection required for plugin "mysql_clear_password". Check if 'sslMode' is enabled.` – mayank agarwal Jan 31 '22 at 18:26
  • Have you tried following the docs? https://cloud.google.com/sql/docs/mysql/iam-logins#logging-in-as-a-user Since the OAuth2 token is short lived, I'd recommend using traditional authentication if you're using it in a Java application. Otherwise, you'll have to write token refresh logic. – enocom Jan 31 '22 at 19:59
  • Yes I have followed the same doc. It's working fine with gcloud cli but getting error from java application. I am using traditional approach to connect with the DB using 127.0.0.1:3306 to connect with cloudsql proxy. – mayank agarwal Feb 01 '22 at 03:38
  • If you're trying to use IAM AuthN with the Java connector, it's not supported yet either. The CLI answer you gave above is the easiest approach for simple CLI tasks. – enocom Feb 01 '22 at 16:15
1

The solution with CLI is using below command:

MYSQL_PWD=`gcloud auth print-access-token` mysql --enable-cleartext-plugin --host=127.0.0.1 --user=<user_name>

Make sure you have authorized the service account and gave it token creator role.

mayank agarwal
  • 33
  • 6
0

Automatic IAM was not supported on MySQL when you tried this, but it is now

$ mkdir -p ~/cloudsql2
$ cloud_sql_proxy --projects my-project -dir ~/cloudsql2 -enable_iam_login
$ mysql -S ~/cloudsql2/my-project\:us-west1\:my-instance-name -u dantest
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6200833
Server version: 5.7.39-google-log (Google)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

See more: https://cloud.google.com/sql/docs/mysql/authentication#automatic

dan carter
  • 4,158
  • 1
  • 33
  • 34