cloud_sql_proxy - connect securely to a 2nd generation cloud sql
database
The Cloud SQL Proxy allows simple, secure connectivity to Google
Cloud SQL. It is a long-running process that opens local sockets (either TCP
or Unix sockets) according to the parameters passed to it. A local
application connects to a Cloud SQL instance by using the corresponding
socket.
By default, the proxy will authenticate under the default service
account of the Compute Engine VM it is running on. Therefore, the VM must
have at least the sqlservice.admin
API
scope and the associated project must have the SQL Admin API enabled.
The default service account must also have at least WRITER/EDITOR
privileges to any projects of target SQL instances.
- On Google Compute Engine, the default service account is used. The Cloud
SQL API must be enabled for the VM.
- When the gcloud command-line tool is installed on the local machine, the
active account is used for authentication. Run 'gcloud auth
list' to see which accounts are installed on your local machine and
'gcloud config list account' to view the active account.
- To configure the proxy using a service account, pass the
-credential_file parameter or set the
GOOGLE_APPLICATION_CREDENTIALS environment variable. This will
override gcloud or GCE (Google Compute Engine) credentials, if they
exist.
- -quiet
- Disable log messages (e.g. when new connections are established).
WARNING: this option disables ALL logging output (including
connection errors), which will likely make debugging difficult. The
-quiet flag takes precedence over the -verbose flag.
- -verbose
- When explicitly set to false, disable log messages that are not errors nor
first-time startup messages (e.g. when new connections are established
or closed without errors).
- -version
- Print the version of the proxy and exit
- -credential_file
- If provided, this json file will be used to retrieve Service Account
credentials. You may set the GOOGLE_APPLICATION_CREDENTIALS
environment variable for the same effect.
- -token
- When set, the proxy uses this Bearer token for authorization
- -max_connections
- If provided, the maximum number of connections to establish before
refusing new connections. Defaults to 0 (no limit)
- -instances
- To connect to a specific list of instances, set the instances parameter to
a comma-separated list of ully qualified instance connection strings
(project:region:name). For example:
-instances=my-project:my-region:my-instance
- For connectivity over TCP, you must specify a tcp port as part of the
instance string. For example, the following example opens a loopback TCP
socket on port 3306, which will be proxied to connect to the instance
'my-instance' in project 'my-project':
-instances=my-project:my-region:my-instance=tcp:3306
When connecting over TCP, the -instances parameter is
required.
Supplying INSTANCES environment variable achieves the same effect.
One can use that to keep k8s manifest files constant across multiple
environments. If the name has the suffix '=tcp:port', a TCP server is
opened on the specified port to proxy to that instance. Otherwise, one
socket file per instance is opened in dir. You may use
INSTANCES environment variable for the same effect. Using both will
use value from flag. Not compatible with -fuse
- -instances_metadata
- When running on GCE (Google Compute Engine) you can avoid the need to
specify the list of instances on the command line by using the Metadata
server. This parameter specifies a path to a metadata value which is then
polled for a comma-separated list of fully qualified instances
(project:region:name) to connect to in the exactly the same way as
the -instances parameter. Updates to the metadata value will be
observed and acted on by the Proxy. For example, to use the instance
metadata value named cloud-sql-instances you would provide
instance/attributes/cloud-sql-instances.
- -check_region
- If specified, the region portion of the connection string is
required for Unix socket-based connections.
- -projects
- To direct the proxy to open connections for each Cloud SQL Instance in the
comma-separated list of projects specified, set the projects
parameter:
- -refresh_config_throttle
- If set, this flag specifies the amount of forced sleep between successive
API calls in order to protect client API quota. Minimum allowed value is
1s
- -dir
- When using Unix sockets (the default for systems which support them), the
Proxy places the sockets representing database instances in the directory
specified by the -dir parameter.
- -fuse
- If your local environment has FUSE installed, you can specify the
-fuse flag to avoid the requirement to specify instances in
advance. Mount a directory at dir using FUSE for accessing
instances. Note that the directory at dir must be empty before this
program is started. With FUSE, any attempts to open a Unix socket
in the directory specified by -dir automatically creates that
socket and connects to the corresponding instance.
- -fuse_tmp
- Used as a temporary directory if -fuse is set. Note that files in
this directory can be removed automatically by this program.
If the Google Cloud SQL is installed on the local machine and no
instance connection flags are specified, the proxy connects to all instances
in the gcloud tool's active project. Run 'gcloud config list project'
to display the active project.
- Credentials
- By default user account credentials are acquired by gcloud auth
login and stored locally on the system. gcloud auth
activate-service-account authorizes access using a service account. As
with gcloud init and gcloud auth login, this command saves
the service account credentials to the local system on successful
completion and sets the specified account as the active account in your
Cloud SDK configuration. To configure the proxy using a service account,
pass the -credential_file parameter or set the
GOOGLE_APPLICATION_CREDENTIALS environment variable. This will
override gcloud or GCE (Google Compute Engine) credentials, if they
exist.
- sockets
directory
- When using Unix sockets (the default for systems which support them), the
Proxy places the sockets rep‐ resenting database instances in the
directory specified by the -dir parameter. With FUSE one can
also interact with the proxy using thius directory to specify instances of
cloud SQL databases to connect to on the fly.
- /dev/fuse
- Optional functionality can be enabled ( --fuse ) with access to
/dev/fuse as well as the fusermount binary.
The upstream issue reporting system is at
github
Manoj Srivastava <srivasta@google.com>