From cc9f4fe692865057cac142909d03c4c1897a992d Mon Sep 17 00:00:00 2001 From: Ryan Boehning Date: Fri, 1 May 2020 16:43:23 -0700 Subject: [PATCH] Fix bad permissions on service account key in dbproxy startup script The Cloud SQL Proxy container needs to mount the cloud-sql-proxy service account key as a file so it can connect to the db. I was incorrectly setting the permissions on this file to 400. Inside the container, the proxy binary is being run by the `nonroot` user. This user has a different uid compared to the user running `docker` outside the container, so it can't read the file. The solution is to change the permissions on the key to 444, so it's readable by `nonroot`. --- modules/dbproxy/run_cloud_sql_proxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/dbproxy/run_cloud_sql_proxy.tpl b/modules/dbproxy/run_cloud_sql_proxy.tpl index adc27fd..7ce696e 100644 --- a/modules/dbproxy/run_cloud_sql_proxy.tpl +++ b/modules/dbproxy/run_cloud_sql_proxy.tpl @@ -6,7 +6,7 @@ set -euo pipefail # automatically reboot the server if it goes down. We don't want to lose the # key after a reboot. echo '${service_account_key}' >/var/svc_account_key.json -chmod 400 /var/svc_account_key.json +chmod 444 /var/svc_account_key.json # TODO: delete this line and add the `--pull=always` flag to `docker run` docker pull gcr.io/cloudsql-docker/gce-proxy:latest