1

I am looking to connect to a gcp managed db (running on GCP) via a cloud proxy (jump box with local port to connect to managed instance) with go-sql-driver but everything I've tried gcp MySQL instance is rejecting my login. i am able to connect, but when trying to query it returns an error.

this is the code I'm using (note it works if i have a "normal user/password", tested from gcp and local database):

package main

import (
    "database/sql"
    "fmt"
    "log"
    "os"

    "github.com/go-sql-driver/mysql"
    _ "github.com/go-sql-driver/mysql"
)

func connectTCPSocket() (*sql.DB, error) {
    mustGetenv := func(k string) string {
        v := os.Getenv(k)
        if v == "" {
            log.Fatalf("Fatal Error in connect_tcp.go: %s environment variable not set.", k)
        }
        return v
    }

    c := mysql.Config{
        User:   mustGetenv("DB_USER"),
        Passwd: mustGetenv("DB_PASS"),
        Net:    "tcp",
        Addr:   mustGetenv("INSTANCE_HOST") + ":" + mustGetenv("DB_PORT"),
        DBName: mustGetenv("DB_NAME"),
        ParseTime: true, // demo option
        AllowNativePasswords:    true,
        AllowOldPasswords:       true,
        AllowCleartextPasswords: true,
    }

    dbPool, err := sql.Open("mysql", c.FormatDSN())

    if err != nil {
        return nil, fmt.Errorf("sql.Open: %w", err)
    }

    // ...

    return dbPool, nil
}

func main() {
    fmt.Println("Starting")
    db, err := connectTCPSocket()

    if err != nil {
        log.Fatal(err)
    }
    // fmt.Println(db)

    rows, err2 := db.Query("Select field1 from table")
    if err2 != nil {
        log.Fatal(err2)
    }
}

when calling it i get Access denied for user ‘user’@‘ipaddress’ (using password: YES)

the auth token/password is from: gcloud sql generate-login-token command. and i have been able to use this in normal DB Utilities (intellij, dbbeaver, ect).

any suggestions on what i need to use to get it to work?

Edit to answer comments:

  1. using "gcloud compute ssh cloudsql-jump" not gcloud shell.
  2. gcloud compute ssh cloudsql-jump --project projectName --zone us-east4-c --internal-ip -- -L 1234:1.0.0.1:3306
  3. gcloud sql generate-login-token - for the auth token
  4. INSTANCE_HOST = localhost
  5. DB_PORT = 1234 (see #1 for jump box port forwarding)
  • from intellij using jdbc:mysql://localhost:1234 works with the auth token from #3.
  1. for code running, i see:
Starting
2025/03/27 06:42:47 Error 1045 (28000): Access denied for user 'user'@'10.0.0.1' (using password: YES)
Improve this question
4
  • see https://cloud.google.com/sql/docs/mysql/iam-logins Commented Mar 27 at 1:09
  • Your question is unclear and is not a minimal repro. Your Go code can be configured for both direct (to SQL) and proxied connections but, for example. INSTANCE_HOST and DB_PORT will usually (!) be localhost (127.0.0.1) and 3306 when proxied. Please include the commands that you're running and the output they're generating. Commented Mar 27 at 2:22
  • 1
    What does "i forward a port locally to gcp shell to connect" mean? Do you mean Cloud Shell? If you're port-forwarding to the proxy, this is ill-advised. Commented Mar 27 at 2:25
  • The tutorial may help. Commented Mar 27 at 2:27

1 Answer 1

Reset to default
0

Check if you are using MySQL 8.4. By default in Cloud SQL, Mysql 8.4 the caching_sha2_password auth plugin is the default. You may need to configure your go mysql client to use caching_sha2_password also.

It looks like you already found the article describing several ways to connect to a private-ip Cloud SQL instance. Just in case others find it useful also, here's the link: https://cloud.google.com/sql/docs/mysql/connect-to-instance-from-outside-vpc

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.