Unable to Access CloudSQL MYSQL5.7 From Service Account Using CLI

Question

I have simple cloudsql instance for MYSQL_5_7 with enable_iam_authentication flag on.

I have added service account or IAM user and want to access the instance using mysql client.

I am using cloudsql auth proxy:

./cloud_sql_proxy -instances=watchful-pier-333707:us-central1:test-002=tcp:3306 --enable_iam_login

Accessing the DB with below command: mysql -u root -p --host 127.0.0.1

Using Built-in user root I am successfully able to access the instance.

When I am trying to access the DB with IAM user/service account using below command, I am getting "Lost connection to MySQL server at 'reading authorization packet', system error: 0".

mysql -u <user_name> -p --host 127.0.0.1 user_name is the one I can see as added user in user's list

Following this documentation - this

Can anyone please help. Thanks in advance!

Answer 1

The solution with CLI is using below command:

MYSQL_PWD=`gcloud auth print-access-token` mysql --enable-cleartext-plugin --host=127.0.0.1 --user=<user_name>

Make sure you have authorized the service account and gave it token creator role.

Answer 2

Automatic IAM AuthN isn't yet available for MySQL. Once it is, we'll update the proxy docs.

Answer 3

Automatic IAM was not supported on MySQL when you tried this, but it is now

$ mkdir -p ~/cloudsql2
$ cloud_sql_proxy --projects my-project -dir ~/cloudsql2 -enable_iam_login
$ mysql -S ~/cloudsql2/my-project\:us-west1\:my-instance-name -u dantest
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6200833
Server version: 5.7.39-google-log (Google)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

See more: https://cloud.google.com/sql/docs/mysql/authentication#automatic