cc9f4fe692
The Cloud SQL Proxy container needs to mount the cloud-sql-proxy service account key as a file so it can connect to the db. I was incorrectly setting the permissions on this file to 400. Inside the container, the proxy binary is being run by the `nonroot` user. This user has a different uid compared to the user running `docker` outside the container, so it can't read the file. The solution is to change the permissions on the key to 444, so it's readable by `nonroot`.
Cloud SQL DB with a Private IP
This repo demonstrates how to create a Cloud SQL DB with a private IP address only, and connect to it with Cloud SQL Proxy. The full explanation of how this works can be found in this blog post.
Deploy the db and Cloud SQL Proxy
gcloud services enable \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
iam.googleapis.com \
oslogin.googleapis.com \
servicenetworking.googleapis.com \
sqladmin.googleapis.com
terraform init
terraform apply
Upload your public SSH key to Google's OS Login service
gcloud compute os-login ssh-keys add --key-file=~/.ssh/id_rsa.pub --ttl=365d
Connect to the private db through Cloud SQL Proxy
# get your SSH username
gcloud compute os-login describe-profile | grep username
# psql into your private db
ssh -t <username>@<proxy-ip-address> docker run --rm --network=host -it postgres:11-alpine psql -U postgres -h localhost