Google App Engine (GAE) Flex isn’t the trendiest method for running cloud compute, but it still has its use cases. Along with it, GCP’s CloudSQL is a simple-to-use managed DB solution. But getting these technologies to play nicely together can be a challenge, especially if they’re in separate projects1.
No CloudSQL Proxy container
GAE Flex runs workloads on modified GCE VMs. Connecting to an instance drops you into a shell2 where you can run all sorts of programs, including docker commands.
kbudhram@kb-test-20200330t014212-v1 ~ $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75366922f827 gcr.io/kbudhram-test/test "/startup_script.sh " 2 hours ago Up 2 hours 172.17.0.1:8080->8080/tcp gaeapp
51ad77de16e2 gcr.io/google-appengine/nginx-proxy:newest "/var/lib/nginx/bin/…" 2 hours ago Up 2 hours 0.0.0.0:8443->8443/tcp, nginx_proxy
f8144ce38446 gcr.io/google-appengine/iap-watcher:newest "./start_iap_watcher…" 2 hours ago Up 2 hours iap_watcher
891656fab89f gcr.io/google-appengine/stackdriver-logging-agent:newest "/entrypoint.sh /usr…" 2 hours ago Up 2 hours 172.17.0.1:24231->24231/tcp fluentd_logger
b9291f6856ec gcr.io/google-appengine/stackdriver-monitoring-agent:newest "/bin/sh -c /run.sh" 2 hours ago Up 2 hours stackdriver-monitoring-agent
kbudhram@kb-test-20200330t014212-v1 ~ $With the Flexible environment, ensure that the app.yaml contains the following section and re-deploy.
beta_settings:
cloud_sql_instances: INSTANCE_CONNECTION_NAMESee GCP’s CloudSQL Proxy to MySQL docs or PHP repo for more guidance.
Unauthorized CloudSQL Proxy connection
If the app.yaml config is valid, the CloudSQL container appears within the GAE instance. But if the application
can’t connect the database, you’re still stuck. The GCP Stackdriver API won’t capture the container’s stderr or
stdout output. Login to the instance to see what’s going on.
kbudhram@kb-test-20200330t015212-v2 ~ $ docker logs 326bde43a8b0
2020/03/30 15:59:16 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/03/30 15:59:16 errors parsing config:
googleapi: Error 403: The client is not authorized to make this request., notAuthorized
2020/03/30 15:59:16 Ready for new connections
kbudhram@kb-test-20200330t015212-v2 ~ $The 403 response is caused by insufficient service account access from GAE to the database. If there’s more than one project involved, this can be tricky. The service account running GAE instances is the <project>@appspot.gserviceaccount.com account. Add the account to IAM in the project hosting the CloudSQL database, and grant the Cloud SQL Client role.
Restart the instance and check the docker logs to confirm access.
kbudhram@kb-test-20200330t015212-v2 ~ $ docker logs b169742c5ee0
2020/03/30 16:14:47 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2020/03/30 16:14:50 Listening on /cloudsql/kb-test:us-east1:kb-db for kb-test:us-east1:kb-db
2020/03/30 16:14:50 Ready for new connections
kbudhram@kb-test-20200330t015212-v2 ~ $When it works, the CloudSQL Proxy container creates a socket automatically in the /cloudsql directory. This directory
is available in the application’s container at the same path. Alternatively, if the application does not support sockers, CloudSQL Proxy can listen on a tcp port.
add any networks to Authorized networks list. Instead CloudSQL Proxy running in GAE will authorize and connect.
multiple VPCs, an allow rule must exist for the VPC servicing the GAE instances. Since GAE Flex instances run on modified GCP Compute instances the VPC network settings apply to them.