Thank you for your detailed answer.
To connect via service account & cloudsqlproxy I am already using gcloud (gcloud auth application-default login). My user has owner rights in the project and I additional assigned the Cloud SQL Client role.
That’s how I use it:
-
brew install google-cloud-sdk
-
gcloud components install cloud_sql_proxy
-
cloudsqlproxy …
Due to your post I figured out that the latest version of cloudsqlproxy via gcloud components is 1.27.0 even after updating
When installing via brew I get version 2.14.0 (I had to use brew install cloud-sql-proxy - no cask available anymore)
Sadly after updating and using the newest version of cloudsqlproxy the behavior is the same. It works for all other instances, not for the new one.
The cloud-sql-proxy logs are:
2024/10/25 08:19:49 Authorizing with Application Default Credentials
2024/10/25 08:19:50 [<project>:<region>:<instance-connection-name>] Listening on /Users/<myuser>/cloudsql/<project>:<region>:<instance-connection-name>
2024/10/25 08:19:50 The proxy has started successfully and is ready for new connections!```
When I try to connect I get:
```Access denied for user 'root'@'cloudsqlproxy~<myip>' (using password: YES) (1045)```
The proxy then has additional log output:
```2024/10/25 08:21:57 [<project>:<region>:<instance-connection-name>] Accepted connection from
2024/10/25 08:21:57 [<project>:<region>:<instance-connection-name>] instance closed the connection```
**When I whitelist my IP connecting with the exact same credentials (user/pw) and with the same approach (using cloudsqlproxy) works.**
In this case the cloudsqlproxy logs just shows the first statement without the instance closed the connection part:
```2024/10/25 08:34:38 [<project>:<region>:<instance-connection-name>] Accepted connection from```
>The default settings for new instances might have changed, tightening security by requiring explicit IP whitelisting.
That would be unexpected - I'm used that google mentions such changes in the docs/descriptions very early.
> Avoiding Public IP Dependencies
My production environment uses the private IP via VPC peering, but I still need the public IP for other reasons.
Key points:
- `gcloud components install cloud_sql_proxy` should be removed/fixed as it is out of date
- The issue has not been resolved by using your mentioned steps