A coworker has a problem with cloud_sql_proxy in GCP. We have a very simple setup, connections are done with the Google account, not service accounts, no IP restrictions or any other specialities.
For me, it's working fine, I'm simply running cloud_sql_proxy <project>:<region>:<database> -p 5435 and everything is great.
When he is using the command, all he gets is
failed to connect to instance: failed to get instance: Refresh error: failed to get instance metadata (connection name = "<project>:<region>:<database>"):
Get "https://sqladmin.googleapis.com/sql/v1beta4/projects/<project>/instances/<database>/connectSettings?alt=json&prettyPrint=false": auth: "invalid_grant" "Bad Request"
What we have tested so far:
gcloud auth list.gcloud auth print-access-token and cloud_sql_proxy --token=... the proxy is working, so it seems his account is OK and cloud_sql_proxy simply isn't using it by default.Actually, I'm running out of ideas now. It feels like the proxy is not using the proper account, but I don't know why. The output of cloud_sql_proxy is not very helpful (it doesn't even tell me which account is being used to authenticate like most other GCP tools do), and flags like -verbose don't give any helpful information.
Is there anything else I could check? Is there any way to make cloud_sql_proxy output more information?
gcloud auth list shows the available credentials for gcloud, not for other applications or libraries, those require application-default-credentials to be generated, which you probably did on your pc, and your coworker didn't. This can be done with:
gcloud auth application-default login
See https://cloud.google.com/sql/docs/mysql/connect-auth-proxy#start-proxy for this explanation in the docs.