Menu
When I try to enable a private IP on my Cloud SQL instance (Postgresql 9.6) I get the follwoing error message:
Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
I have a VPC which I select in the "Associated Network" dropdown and I chose a managed services network too which I have already setup so in theory it should all work.
I cannot find anything under IAM that relates to the error message, either a service account or even the servicenetworking.serviceAgent permission.
Update Including the relevant terraform snippets
## VPC Setup
resource "google_compute_network" "my_network" {
project = "${var.project_id}"
name = "vpc-play"
auto_create_subnetworks = "false"
routing_mode = "REGIONAL"
}
# There is a bunch of subnets linked to this network which are not included here
## Managed services network
resource "google_compute_global_address" "default" {
name = "google-managed-services-vpc-${var.project_id}"
project = "${var.project_id}"
provider = "google-beta"
ip_version = "IPV4"
prefix_length = 16
address_type = "INTERNAL"
purpose = "VPC_PEERING"
network = "${google_compute_network.my_network.self_link}"
}
## Error occurs on this step
## Error is : google_service_networking_connection.private_vpc_connection: set Service Networking service account as servicenetworking.serviceAgent role on consumer project
resource "google_service_networking_connection" "private_vpc_connection" {
provider = "google-beta"
network = "${google_compute_network.my_network.self_link}"
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = ["${google_compute_global_address.default.name}"]
}
## Database configuration <-- omitted private ip stuff for now as doesn't even get to creation of this, error in previous step
resource "google_sql_database_instance" "my_db" {
depends_on = ["google_service_networking_connection.private_vpc_connection"]
name = "my_db"
project = "${var.project_id}"
database_version = "POSTGRES_9_6"
region = "${var.region}"
lifecycle {
prevent_destroy = true
}
settings {
tier = "db-f1-micro"
backup_configuration {
enabled = true
start_time = "02:00"
}
maintenance_window {
day = 1
hour = 3
update_track = "stable"
}
ip_configuration {
authorized_networks = [
{
name = "office"
value = "${var.my_ip}"
},
]
}
disk_size = 10
availability_type = "ZONAL"
location_preference {
zone = "${var.zone}"
}
}
}
345
Private connections make services reachable without going through the internet or using external IP addresses. For this reason, private IP provides lower network latency than public IP. You use private services access to connect to Cloud SQL instances: From internal sources with access to your VPC network.
If we're storing IPv4 or IPv6 host addresses, PostgreSQL recommends using the INET data type with an optional netmask. While it's possible to store addresses that represent a network using INET, like 192.10/14 , PostgreSQL recommends using CIDR, which we'll discuss further below.
This saved me hence:
gcloud projects add-iam-policy-binding YOUR_HOST_PROJECT_NAME \
--member=serviceAccount:service-HOST_PROJECT_ACCOUNT_NUMBER@service-networking.iam.gserviceaccount.com \
--role=roles/servicenetworking.serviceAgent
https://thedataguy.in/cloudsql-shared-vpc-private-ip-and-servicenetworking.serviceagent-role/
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
