jprdonnelly/private-ip-cloud-sql-db
0
0
Fork 0
mirror of https://github.com/ryboe/private-ip-cloud-sql-db.git synced 2025-12-19 18:14:59 -05:00
Code Issues Projects Releases Wiki Activity

Fix bad permissions on service account key in dbproxy startup script

Browse Source 
The Cloud SQL Proxy container needs to mount the cloud-sql-proxy service
account key as a file so it can connect to the db. I was incorrectly
setting the permissions on this file to 400. Inside the container, the
proxy binary is being run by the `nonroot` user. This user has a
different uid compared to the user running `docker` outside the
container, so it can't read the file. The solution is to change the
permissions on the key to 444, so it's readable by `nonroot`.
This commit is contained in:
Ryan Boehning
2020-05-01 16:43:23 -07:00
parent f7ef3d241a
commit cc9f4fe692
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/dbproxy/run_cloud_sql_proxy.tpl
View File

@@ -6,7 +6,7 @@ set -euo pipefail
# automatically reboot the server if it goes down. We don't want to lose the # automatically reboot the server if it goes down. We don't want to lose the
# key after a reboot. # key after a reboot.
echo '${service_account_key}' >/var/svc_account_key.json echo '${service_account_key}' >/var/svc_account_key.json
chmod 400 /var/svc_account_key.json chmod 444 /var/svc_account_key.json
# TODO: delete this line and add the `--pull=always` flag to `docker run` # TODO: delete this line and add the `--pull=always` flag to `docker run`
docker pull gcr.io/cloudsql-docker/gce-proxy:latest docker pull gcr.io/cloudsql-docker/gce-proxy:latest