Permission denied when trying to query mysql with unix socket and credential file.

[fervbmx]

We upgrading to the last version of the cloud-sql-proxy, but we can't get it to work right, when we trying to query to mysql instance get the [SQLSTATE[HY000] [2002] Permission denied] error.

Bug Description

We use the latest version of cloud-sql-proxy installed like this:

go install github.com/GoogleCloudPlatform/cloud-sql-proxy/v2@latest

for start the instance we use credential file, we also create a user with 'cloudsqlproxy~%' hostname to allow connect to the instance.

./cloud-sql-proxy -u /cloud-sql/ -c /cloud-sql-service-account PROJECT_NAME:us-central1:INSTANCE_NAME

We have a successfully start like this:

2022/09/12 15:46:27 Authorizing with the credentials file at "/cloud-sql-service-account"
2022/09/12 15:46:28 [PROJECT_NAME:us-central1:INSTANCE_NAME] Listening on /cloud-sql/PROJECT_NAME:us-central1::INSTANCE_NAME
2022/09/12 15:46:28 The proxy has started successfully and is ready for new connections!

But when the application tries to query mysql for any information using the unix socket, we get a error:

[2022-09-12 15:47:52] testing.ERROR: SQLSTATE[HY000] [2002] Permission denied (SQL: ...)

We tried with oldest cloud-sql-proxy versions and this problem doesn't happens, like:

go install github.com/GoogleCloudPlatform/cloudsql-proxy/cmd/cloud_sql_proxy@v1.31.2

Environment

1. OS type and version: alpine-3.15
2. Cloud SQL Proxy version (./cloud-sql-proxy --version): cloud-sql-proxy version 2.0.0-preview.1

[enocom]

Let me see if I can reproduce this and report back.

[enocom]

In addition to our automated test (source), I tried to connect to my MySQL instance with application default credentials and with a credential file:

# in one shell with application default credentials
$ cloud-sql-proxy -u /cloudsql/ project:region:instance

# in another shell
$ mysql --version
mysql  Ver 15.1 Distrib 10.6.9-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
$ mysql -S /cloudsql/project:region:instance --user=test-user test-db --password

and

# in one shell with application default credentials
$ cloud-sql-proxy -u /cloudsql/ project:region:instance -c /my/secret/key.json

# in another shell
$ mysql -S /cloudsql/project:region:instance --user=test-user test-db --password

In both cases the connection worked. So, could you double check that your instance name is correct?

[fervbmx]

@enocom Yeah the instance name is correct, we used the same configuration to reproduce this issue, we just changed the version of cloud-sql-proxy and the start command:

# For version v1.31.2:
cloud-sql-proxy -dir=/cloud-sql/ -instances=PROJECT_NAME:us-central1:INSTANCE_NAME -credential_file=/cloud-sql-service-account

# For version 2.0.0-preview.1:
cloud-sql-proxy -u /cloud-sql/ -c /cloud-sql-service-account PROJECT_NAME:us-central1:INSTANCE_NAME

[enocom]

What client are you using to query MySQL?

[fervbmx]

@enocom We use supervisor for the startup processes, the main application process was started with a different user than the cloud-sql-proxy, the previous version creates the socket with write access permission for groups and others, the latest version doesn't do this:

For version v1.31.2:
3280871      0 srwxrwxrwx    1 root     root   0 Sep 12 21:47 PROJECT_NAME:us-central1:INSTANCE_NAME

# For version 2.0.0-preview.1:
1449959      0 srwxr-xr-x    1 root     root   0 Sep 12 20:49 PROJECT_NAME:us-central1:INSTANCE_NAME

[enocom]

Yep that’s the problem. OK. I’ll fix it. Thanks for helping debug.