Question 186876 in Docker Question posted in
The official documentation can be found here.

Docker – Failed to update metadata for Cloud SQL instance. :Request had insufficient authentication scopes

I am following this tutorial: Connect to Cloud SQL for MySQL from Google Kubernetes Engine.
I have created a cluster. I have created a docker image in the repository. I have created a database. I am able to run my application outside of Kubernetes and it connects to the database. But after deploying application, pods are not in a valid state and I see in the logs of the pod error:

Caused by: java.lang.RuntimeException: [quizdev:us-central1:my-instance] Failed to update metadata for Cloud SQL instance.
       ...[na:na] 
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/quizdev/instances/my-instance/connectSettings
{
  "code": 403,
  "details": [
    {
      "@type": "type.googleapis.com/google.rpc.ErrorInfo",
      "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
      "domain": "googleapis.com",
      "metadata": {
        "service": "sqladmin.googleapis.com",
        "method": "google.cloud.sql.v1beta4.SqlConnectService.GetConnectSettings"
      }
    }
  ],
  "errors": [
    {
      "domain": "global",
      "message": "Insufficient Permission",
      "reason": "insufficientPermissions"
       }
  ],
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED"
}
        at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146) ~[google-api-client-2.2.0.jar:2.2.0]
        ... 

2023-06-14T06:57:49.508Z  WARN 1 --- [           main] o.h.e.j.e.i.JdbcEnvironmentInitiator     : HHH000342: Could not obtain connection to query metadata

What could be the issue? What can I check to diagnose the problem?

Edit

I have created the cluster using this command:

  gcloud container clusters create questy-java-cluster 
  --num-nodes 2 
  --machine-type n1-standard-1 
  --zone us-central1-c
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Based on accepted answer from @guillaume blaquiere I have

    1. created service account, as one of the steps of the tutorial:
        gcloud iam service-accounts create gke-quickstart-service-account 
      --display-name="GKE Quickstart Service Account"
    1. recreated the cluster with service account:

    enter image description here

    1. Followed again all steps from the tutorial.

  2. 0

    I’m pretty sure that you create a cluster by default. If you did that, you used the Compute Engine default parameter that you can see here

    enter image description here

    Default service account and access scope. If you did that, it’s normal you have no access: the minimal scope does not allow the Cloud SQL access.

    To solve that, you have to select either a user managed service account (the best solution) or still use the default service account but allow full scopes access.

    2 solutions to enforce that:

    • Either delete and recreate correctly your cluster
    • Or, you can create another node pool with the correct parameters.
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search