bigquery/WARN/2024_002

BigQuery external connection with Cloud SQL does not fail

Product: BigQuery
Rule class: WARN - Something that is possibly wrong

Description

When connecting with Cloud SQL external connection using bigquery the BigQuery Connection Service Agent is automatically created and given an IAM role as Cloud SQL client. If the role doesn’t exists, query over the associated data source connection fails.

Remediation

Ensure that valid credentials were used and all prerequisites were followed to create the connection for Cloud SQL. Check if the service account that is automatically created when a connection to Cloud SQL is created has the Cloud SQL Client (roles/cloudsql.client) role. The service account is of the following format: service-PROJECT_NUMBER@gcp-sa-bigqueryconnection.iam.gserviceaccount.com

Further information

[1] https://cloud.google.com/bigquery/docs/cloud-sql-federated-queries#troubleshooting [2] https://cloud.google.com/bigquery/docs/connect-to-sql#access-sql