Question posted in
The official documentation can be found here.

Troubleshooting Google Cloud SQL connection through Auth Proxy in Docker

I’ve set up a docker-compose.yml to a run node-based API application and Google’s Cloud SQL Auth Proxy for the API to connect to my Cloud SQL instance. Both applications start, but the I’m getting the error below in my API container:

Error: connect ECONNREFUSED 127.0.0.1:3307 at TCPConnectWrap.afterConnect

even though the terminal in my proxy container reads:

Authorizing with the credentials file at "/secrets/cloudsql/credentials.json"
[myproject:myregion:myinstance] Listening on 127.0.0.1:3307
The proxy has started successfully and is ready for new connections!

docker-compose.yml (reference)

version: '3.8'
services:
  proxy:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.2
    # also tried --address 0.0.0.0
    command: myproject:myregion:myinstance --credentials-file=/secrets/cloudsql/credentials.json --address 127.0.0.1 --port=3307
    ports:
      - 127.0.0.1:3307:3307
    volumes:
      - ./cloud-sql.credentials.json:/secrets/cloudsql/credentials.json
    restart: always

  web-api:
    build:
      context: .
      dockerfile: ./apps/web-api/Dockerfile
    ports:
      - 3333:3333
    depends_on:
      - proxy

Authentication

Mounting – As you can see I’m mounting credentials.json which is a key file for my service account with Cloud SQL Client privileges. I’ve confirmed that the file is mounted properly by looking at the container files in Docker desktop.

Reading – I also confirmed that the proxy is reading the key file. To do so, I deleted the type property in the key file and I get the error config error: missing 'type' field in credentials

IAM Permissions – I was able to run the proxy locally and connect successfully with a desktop client using this key file, so the key file has the correct permissions (Cloud SQL Client).

But this is weird…

I deleted a character from the service account email to test that the key file authentication would fail. Locally I get the error Invalid grant: account not found, but in my docker container, the proxy runs without error.

I don’t know what to make of this, or how to troubleshoot it. Have I configured something incorrectly? How is the proxy starting with a bad key file when I know the proxy is reading it properly?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Here is an example for a unix socket connection:

    version: '3.8'

services:
  proxy:
    container_name: proxy
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.2
    command: myproject:myregion:myinstance --unix-socket /tmp --credentials-file /secrets/cloudsql/credentials.json
    volumes:
      - ./cloud-sql.credentials.json:/secrets/cloudsql/credentials.json
      - socket:/tmp
    restart: always

  web-api:
    container_name: web-api
    build:
      context: .
      dockerfile: ./apps/web-api/Dockerfile
    ports:
      - 3333:3333
    volumes:
      - socket:/tmp
    depends_on:
      - proxy
    env_file:
      - .env
    restart: always

volumes:
  socket:

  2. 0

    You’ll need to reference your Proxy container using links.

    Try this (adapting as needed):

    version: '3.8'
services:
  proxy:
    # binding to 0.0.0.0 is important
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.2
    command: myproject:myregion:myinstance --credentials-file=/secrets/cloudsql/credentials.json --address 0.0.0.0 --port=3307
    volumes:
    - ./cloud-sql.credentials.json:/secrets/cloudsql/credentials.json

  psql:
    image: postgres
    # using "proxy" as the hostname
    command: psql "host=proxy port=3307 user=postgres dbname=postgres password=mycoolpassword" -c "select now()"
    depends_on:
      - proxy
    links:
    - "proxy"
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search