我有一个云运行服务,它通过SQLAlchemy访问云SQL实例。但是,在Cloud Run的日志中,我看到了CloudSQL connection failed. Please see https://cloud.google.com/sql/docs/mysql/connect-run for additional details: ensure that the account has access to "<connection_string>"。转到这个链接,它说:
"默认情况下,您的应用程序将使用云运行(完全托管(服务帐户授权您的连接。服务帐户的格式为PROJECT_NUMBER-compute@developer.gserviceaccount.com.">
但是,以下内容(https://cloud.google.com/run/docs/securing/service-identity)说:
"默认情况下,Cloud Run修订版使用计算引擎默认服务帐户(PROJECT_NUMBER-compute@developer.gserviceaccount.com),其具有项目>编辑IAM角色。这意味着默认情况下,您的Cloud Run修订版可以对Google Cloud项目中的所有资源进行读写访问">
那么,这不应该意味着Cloud Run已经可以访问SQL了吗?我已经在Cloud Run部署页面中设置了Cloud SQL连接。你建议我做些什么来允许从Cloud Run访问Cloud SQL?
编辑:我必须启用云SQL API。
否,默认情况下Cloud Run无法访问Cloud SQL。你需要遵循两条路径中的一条。
-
使用本地unix套接字文件连接到SQL:您需要像前面所说的那样配置权限,并使用指示连接到数据库意图的标志进行部署。跟随https://cloud.google.com/sql/docs/mysql/connect-run
-
使用私有IP连接SQL:这涉及到将云SQL实例部署到VPC网络中,从而使其获得私有IP地址。然后使用Cloud Run VPC Access Connector(目前是测试版(允许Cloud Run容器能够连接到该VPC网络,该网络直接包括SQL数据库的IP地址(不需要IAM权限(。跟随https://cloud.google.com/vpc/docs/configure-serverless-vpc-access
云SQL代理解决方案
我使用cloud-sql代理在cloud-Build提供的workspace目录中创建一个本地unix套接字文件。
以下是主要步骤:
- 拉一个
Berglas容器,用_VAR1替换来填充它的调用,这是我使用名为CMCREDENTIALS的Berglas加密的环境变量。您应该根据需要添加任意数量的_VAR{n} - 通过wget安装cloudsqlproxy
- 运行一个中间步骤(测试此生成(。此步骤使用存储在所提供的临时
/workspace目录中的变量 - 塑造你的形象
- 推动你的形象
- 使用Cloud Run,部署并包含标志
--set-environment-variables
完整的cloudbuild.yaml
# basic cloudbuild.yaml
steps:
# pull the berglas container and write the secrets to temporary files
# under /workspace
- name: gcr.io/berglas/berglas
id: 'Install Berglas'
env:
- '${_VAR1}=berglas://${_BUCKET_ID_SECRETS}/${_VAR1}?destination=/workspace/${_VAR1}'
args: ["exec", "--", "/bin/sh"]
# install the cloud sql proxy
- id: 'Install Cloud SQL Proxy'
name: alpine:latest
entrypoint: sh
args:
- "-c"
- "
wget -O /workspace/cloud_sql_proxy
https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 &&
sleep 2 &&
chmod +x /workspace/cloud_sql_proxy"
waitFor: ['-']
# using the secrets from above, build and run the test suite
- name: 'python:3.8.3-slim'
id: 'Run Unit Tests'
entrypoint: '/bin/bash'
args:
- "-c"
- "
(/workspace/cloud_sql_proxy -dir=/workspace/${_SQL_PROXY_PATH} -instances=${_INSTANCE_NAME1} & sleep 2) &&
apt-get update && apt-get install -y --no-install-recommends
build-essential libssl-dev libffi-dev libpq-dev python3-dev wget &&
rm -rf /var/lib/apt/lists/* &&
export ${_VAR1}=$(cat /workspace/${_VAR1}) &&
export INSTANCE_NAME1=${_INSTANCE_NAME1} &&
export SQL_PROXY_PATH=/workspace/${_SQL_PROXY_PATH} &&
pip install -r dev-requirements.txt &&
pip install -r requirements.txt &&
python -m pytest -v &&
rm -rf /workspace/${_SQL_PROXY_PATH} &&
echo 'Removed Cloud SQL Proxy'"
waitFor: ['Install Cloud SQL Proxy', 'Install Berglas']
dir: '${_APP_DIR}'
# Using the application/Dockerfile build instructions, build the app image
- name: 'gcr.io/cloud-builders/docker'
id: 'Build Application Image'
args: ['build',
'-t',
'gcr.io/$PROJECT_ID/${_IMAGE_NAME}',
'.',
]
dir: '${_APP_DIR}'
# Push the application image
- name: 'gcr.io/cloud-builders/docker'
id: 'Push Application Image'
args: ['push',
'gcr.io/$PROJECT_ID/${_IMAGE_NAME}',
]
# Deploy the application image to Cloud Run
# populating secrets via Berglas exec ENTRYPOINT for gunicorn
- name: 'gcr.io/cloud-builders/gcloud'
id: 'Deploy Application Image'
args: ['beta',
'run',
'deploy',
'${_IMAGE_NAME}',
'--image',
'gcr.io/$PROJECT_ID/${_IMAGE_NAME}',
'--region',
'us-central1',
'--platform',
'managed',
'--quiet',
'--add-cloudsql-instances',
'${_INSTANCE_NAME1}',
'--set-env-vars',
'SQL_PROXY_PATH=/${_SQL_PROXY_PATH},INSTANCE_NAME1=${_INSTANCE_NAME1},${_VAR1}=berglas://${_BUCKET_ID_SECRETS}/${_VAR1}',
'--allow-unauthenticated',
'--memory',
'512Mi'
]
# Use the defaults below which can be changed at the command line
substitutions:
_IMAGE_NAME: your-image-name
_BUCKET_ID_SECRETS: your-bucket-for-berglas-secrets
_INSTANCE_NAME1: project-name:location:dbname
_SQL_PROXY_PATH: cloudsql
_VAR1: CMCREDENTIALS
# The images we'll push here
images: [
'gcr.io/$PROJECT_ID/${_IMAGE_NAME}'
]
已使用Dockerfile
下面从目录<myrepo>/application中包含的源代码构建了一个Python应用程序。该码头文件位于application/Dockerfile之下。
# Use the official lightweight Python image.
# https://hub.docker.com/_/python
FROM python:3.8.3-slim
# Add build arguments
# Copy local code to the container image.
ENV APP_HOME /application
WORKDIR $APP_HOME
# Install production dependencies.
RUN apt-get update && apt-get install -y --no-install-recommends
build-essential
libpq-dev
python3-dev
libssl-dev
libffi-dev
&& rm -rf /var/lib/apt/lists/*
# Copy the application source
COPY . ./
# Install Python dependencies
RUN pip install -r requirements.txt --no-cache-dir
# Grab Berglas from Google Cloud Registry
COPY --from=gcr.io/berglas/berglas:latest /bin/berglas /bin/berglas
# Run the web service on container startup. Here we use the gunicorn
# webserver, with one worker process and 8 threads.
# For environments with multiple CPU cores, increase the number of workers
# to be equal to the cores available.
ENTRYPOINT exec /bin/berglas exec -- gunicorn --bind :$PORT --workers 1 --threads 8 app:app
希望这能帮助到一些人,尽管对于最初的OP来说可能太具体了(Python+Berglas(。