gcp sql proxy sql auth proxy - ghdrako/doc_snipets GitHub Wiki
https://github.com/GoogleCloudPlatform/cloud-sql-proxy
When the proxy authenticates under the Compute Engine VM's default service account, the VM must have at least the sqlservice.admin
API scope (i.e., "https://www.googleapis.com/auth/sqlservice.admin") and the associated project must have the SQL Admin API enabled. The default service account must also have at least writer or editor privileges to any projects of target SQL instances.
The proxy also supports three flags related to credentials:
--token to use an OAuth2 token
--credentials-file to use a service account key file
--gcloud-auth to use the Gcloud user's credentials (local development only)
If you are connecting from Compute Engine, make sure your VM has the proper scope to connect using the Cloud SQL Admin API.
Configure the service account to have either of the following access scopes:
https://www.googleapis.com/auth/sqlservice.admin
https://www.googleapis.com/auth/cloud-platform
Firewall rule
While the Cloud SQL Auth proxy can listen on any port, it creates outgoing or egress connections to your Cloud SQL instance only on port 3307. Because Cloud SQL Auth proxy calls APIs through the domain name sqladmin.googleapis.com, which does not have a fixed IP address, all egress TCP connections on port 443 must be allowed. If your client machine has an outbound firewall policy, make sure it allows outgoing connections to port 3307 on your Cloud SQL instance's IP.