gce/WARN/2022_007

Compute Engine VM has the proper scope to connect using the Cloud SQL Admin API

Product: Compute Engine
Rule class: WARN - Something that is possibly wrong

Description

The service account used by Compute Engine VM should have permission (roles/cloudsql.client) to connect to the Cloud SQL using the Cloud SQL Admin API, otherwise connection won’t work.

Remediation

Configure the service account to have Cloud SQL Client (roles/cloudsql.client) permission and set the GCE VM the either of the following access scopes:

https://www.googleapis.com/auth/sqlservice.admin
https://www.googleapis.com/auth/cloud-platform

Further information

Cloud SQL admin API scopes
Cloud SQL roles and permissions