Access denied for service account (permission issue?) when importing a csv from cloud storage to cloud sql
Asked Answered
I

2

2

I'm trying to populate a mysql db with a csv that i have in cloud storage

I'm using the API Explorer to execute the request with the following request body:

{
  "importContext": {
    "csvImportOptions": {
      "columns": [
        "col1",
        "col2",
        "col3"
      ],
      "table": "table_name"
    },
    "database": "db_name",
    "fileType": "CSV",
    "kind": "sql#importContext",
    "uri": "gs://some_bucket/somecsv.csv"
  }
}

When i hit the execute button i receive a 200 response with the following body

{
 "kind": "sql#operation",
 "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/somelink",
 "targetProject": "some-project",
 "targetId": "some-tarjet",
 "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/somelink",
 "name": "some-name",
 "operationType": "IMPORT",
 "status": "PENDING",
 "user": "[email protected]",
 "insertTime": "somedate",
 "importContext": {
  ...
 }
}

But if i go to the detail instance page in the google console i see this message:

gs://link-to-csv: Access denied for account [email protected] (permission issue?)

I'm authenticated with the same account that created the bucket in cloud storage where the csv is and this also happens using the python sdk.

Inness answered 19/7, 2018 at 19:52 Comment(0)
G
3

You are trying to do an import from your bucket to your Cloud SQL instance, but, said import is going to be made by a service account, one in particular, which can be seen in the “Service account” section while seeing the details of your Cloud SQL instance.

It might be that the CloudSQL service account does not have appropriate permissions to access the Cloud Storage bucket with the data to import.

In order to create a successful import between SQL instance and Storage buckets, proper permissions should be set first. You should give to the service account "oosyrcl32gnzypxg4uhqw54uab@speckle-umbrella-27.iam.gserviceaccount.com" the Storage Object Viewer role.

Gussi answered 20/7, 2018 at 10:16 Comment(0)
N
2
  1. Go to: https://console.cloud.google.com/iam-admin/iam
  2. Click Add, to add a new member.
  3. Paste the gserviceaccount.com email address that was presented in the error message into the New Members field.
  4. Add 2 roles:
    1. Cloud SQL Viewer
    2. Storage Object Admin
  5. Click Save.
Nearly answered 7/11, 2018 at 12:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.