Changing Permissions of Google Container Engine Cluster

Question

I have been able to successfully create a Google Container Cluster in the developers console and have deployed my app to it. This all starts up fine, however I find that I can't connect to Cloud SQL, I get;

 "Error: Handshake inactivity timeout"

After a bit of digging, I hadn't had any trouble connecting to the Database from App Engine or my local machine so I thought this was a little strange. It was then I noticed the cluster permissions...

When I select my cluster I see the following;

  Permissions

User info           Disabled
Compute             Read Write
Storage             Read Only
Task queue          Disabled
BigQuery            Disabled
Cloud SQL           Disabled
Cloud Datastore     Disabled
Cloud Logging       Write Only
Cloud Platform      Disabled

I was really hoping to use both Cloud Storage and Cloud SQL in my Container Engine Nodes. I have allowed access to each of these API's in my project settings and my Cloud SQL instance is accepting connections from any IP (I've been running Node in a Managed VM on App Engine previously), so my thinking is that Google is Explicitly disabling these API's.

So my two part question is;

• Is there any way that I can modify these permissions?
• Is there any good reason why these API's are disabled? (I assume there must be)

Any help much appreciated!

Answer 1

The permissions are defined by the service accounts attached to your node VMs during cluster creation (service accounts can't be changed after a VM is instantiated, so this the only time you can pick the permissions).

If you use the cloud console, click the "More" link on the create cluster page and you will see a list of permissions that you can add to the nodes in your cluster (all defaulting to off). Toggle any on that you'd like and you should see the appropriate permissions after your cluster is created.

If you use the command line to create your cluster, pass the --scopes command to gcloud container clusters create to set the appropriate service account scopes on your node VMs.

Answer 2

Hmm, I've found a couple of things, that maybe would be interested:

1. Permissions belong to a service account (so-called Compute Engine default service account, looks like [email protected])

2. Any VM by default works using this service account. And its permissions do not let us Cloud SQL, buckets and so on. But...

3. But you can change this behavior using another service account with the right perms. Just create it manually and set only needed perms. Switch it out using gcloud auth activate-service-account --key-file=/new-service-account-cred.json

4. That's it.