cloud_sql_proxy - connect securely to a 2nd generation cloud sql database
The Cloud SQL Proxy allows simple, secure connectivity to Google Cloud SQL. It is a long-running process that opens local sockets (either TCP or Unix sockets) according to the parameters passed to it. A local application connects to a Cloud SQL instance by using the corresponding socket.
By default, the proxy will authenticate under the default service account of the Compute Engine VM it is running on. Therefore, the VM must have at least the sqlservice.admin API scope and the associated project must have the SQL Admin API enabled. The default service account must also have at least WRITER/EDITOR privileges to any projects of target SQL instances.
|o||On Google Compute Engine, the default service account is used. The Cloud SQL API must be enabled for the VM.|
|o||When the gcloud command-line tool is installed on the local machine, the active account is used for authentication. Run ’gcloud auth list’ to see which accounts are installed on your local machine and ’gcloud config list account’ to view the active account.|
|o||To configure the proxy using a service account, pass the -credential_file parameter or set the GOOGLE_APPLICATION_CREDENTIALS environment variable. This will override gcloud or GCE (Google Compute Engine) credentials, if they exist.|
|-quiet||Disable log messages (e.g. when new connections are established). WARNING: this option disables ALL logging output (including connection errors), which will likely make debugging difficult. The -quiet flag takes precedence over the -verbose flag.|
|When explicitly set to false, disable log messages that are not errors nor first-time startup messages (e.g. when new connections are established
or closed without errors).
|Print the version of the proxy and exit|
|If provided, this json file will be used to retrieve Service Account credentials. You may set the GOOGLE_APPLICATION_CREDENTIALS environment variable for the same effect.|
|-token||When set, the proxy uses this Bearer token for authorization|
|If provided, the maximum number of connections to establish before refusing new connections. Defaults to 0 (no limit)|
|To connect to a specific list of instances, set the instances parameter to a comma-separated list of ully qualified instance connection strings (project:region:name). For example:
Automatic instance discovery
If the Google Cloud SQL is installed on the local machine and no instance connection flags are specified, the proxy connects to all instances in the gcloud tool’s active project. Run ’gcloud config list project’ to display the active project.
|By default user account credentials are acquired by gcloud auth login and stored locally on the system. gcloud auth activate-service-account authorizes access using a service account. As with gcloud init and gcloud auth login, this command saves the service account credentials to the local system on successful completion and sets the specified account as the active account in your Cloud SDK configuration. To configure the proxy using a service account, pass the -credential_file parameter or set the GOOGLE_APPLICATION_CREDENTIALS environment variable. This will override gcloud or GCE (Google Compute Engine) credentials, if they exist.|
|When using Unix sockets (the default for systems which support them), the Proxy places the sockets rep‐ resenting database instances in the directory specified by the -dir parameter. With FUSE one can also interact with the proxy using thius directory to specify instances of cloud SQL databases to connect to on the fly.|
|Optional functionality can be enabled ( --fuse ) with access to /dev/fuse as well as the fusermount binary.|
The upstream issue reporting system is at github
Manoj Srivastava <srivasta>