This page discusses some of the error messages encountered in Cloud SQL.
Overview
Error messages in Cloud SQL come from many sources and appear in many places. Some error messages come from the database engines themselves, some from the Cloud SQL service, some from client applications, and some are returned by calls to the Cloud SQL Admin API.
This page includes some of the most common errors seen in Cloud SQL. If you do not find the error code or message you are looking for here, you can look for source reference material here:
If you don't find the reference material for the error message that you're seeing, you can also search in some of these places where other users may have relevant experience:
- Cloud SQL questions on Stack Overflow
- Public issue tracker for Cloud SQL
- DBA Stack Exchange
- Cloud SQL discuss group
- Google Cloud Slack community
- Google Cloud on Reddit
Operational errors
A | B | C | D | E | F | G | I | L | M | N | O | P | Q | R | S | T | U | W
- The username (or password) is incorrect.
- The user is connecting from a URL other than
@XXX
. - The user doesn't have the correct privileges for the database they're trying to connect to.
Try these things ...
- Verify the username and corresponding password.
- Check the origin of the connection to see if it matches the URL where the user has access privileges.
- Check the user's grant privileges in the database.
You need to modify the private connection
. Use the following command, and make
sure to use the --force
argument:
gcloud services vpc-peerings update \ --network= VPC_NETWORK \ --ranges= ALLOCATED_RANGES \ --service=servicenetworking.googleapis.com \ --force
Illegal Argument
is one
of the most common. In this case, the request is using either the wrong
argument or an invalid value for the argument. For the many other
causes, the error message might contain a useful hint. For Illegal Argument
, check the request to make sure each
argument is permissible and each value for the argument is valid. For
all other causes, check the log files
to see if there is more information there.
You need to modify the private connection
.
Use the following command, and make sure to use the --force
argument:
gcloud services vpc-peerings update \ --network= VPC_NETWORK \ --ranges= ALLOCATED_RANGES \ --service=servicenetworking.googleapis.com \ --force
If you're trying to perform an export and Cloud Storage doesn't receive any data within a certain time frame, then the connection resets.
Try a manual export using pg_dump
.
Authorized Networks
configuration. Authorized Networks
are configured for public IP addresses in the Connectivity section of
the Google Cloud console, and cloning isn't permitted due to security considerations
. Remove all Authorized Networks
entries from the Cloud SQL
instance if you can. Otherwise, create a replica
without any Authorized Networks
entries.
user
does not exist.gcloud sql connect --user
only works with the default postgres
user. Connect with the default user and then change users.
Edit the primary instance to upgrade it to a larger disk size.
Couldn't find free blocks in allocated IP ranges. Please allocate new ranges for this service provider.
There are no more available addresses in the allocated IP range.
Consider these possible scenarios:
- The size of the allocated IP range for the private service connection is smaller than /24.
- The size of the allocated IP range for the private service connection is too small for the number of Cloud SQL instances.
- The requirement on the size of allocated IP range will be larger if instances are created in multiple regions. See allocated range size
For each of the above scenarios, you can elect to either expand the existing or allocate an additional IP range to the private service connection.
If you're allocating a new range, take care to not create an allocation that overlaps with any existing allocations.
After creating a new IP range, update the VPC peering with the following command:
gcloud services vpc-peerings update \ --service=servicenetworking.googleapis.com --ranges= OLD_RESERVED_RANGE_NAME , NEW_RESERVED_RANGE_NAME \ --network= VPC_NETWORK --project= PROJECT_ID \ --force
If you're expanding an existing allocation, take care to only increase the allocation range and not decrease it. For example, if the original allocation was 10.0.10.0/24, make the new allocation at least 10.0.10.0/23.
In general, if starting from a /24 allocation, decrementing the /mask by 1 for each condition (additional instance type group, additional region) is a good rule of thumb. For example, if trying to create both instance type groups on the same allocation, going from /24 to /23 is enough.
After expanding an existing IP range, update the vpc peering with following command:
gcloud services vpc-peerings update \ --service=servicenetworking.googleapis.com --ranges= RESERVED_RANGE_NAME \ --network= VPC_NETWORK \ --project= PROJECT_ID \ --force
Connecting from Cloud Shell to an instance with only a private IP address isn't currently supported.
To repair service permissions, disable the Service Networking API
,
wait five minutes and then re-enable it.
Service Networking API
isn't enabled in the project. Enable the Service Networking API
in your project. If you see this error when you're trying to assign a private
IP address to a Cloud SQL instance, and you're using a Shared VPC, you
also need to enable the Service Networking API
for the host project.
Service Networking API
isn't enabled in the project. Enable the Service Networking API
in your project. If you see this error when you're trying to assign a private
IP address to a Cloud SQL instance, and you're using a Shared VPC, you
also need to enable the Service Networking API
for the host project.
Wait for the previous operation to finish before beginning another.
instances.restoreBackup
,
and it means that you cannot restore from backup to an instance with a storage size
(XX GB) smaller than the backup size (YY GB). Edit the target instance to increase its storage size.
postgres
is created but not the password.
You need to set a password for this user
before the user can log in.Request an increase to your quotas from the Google Cloud console .
Increase the value of the max_connections
flag.
See Configuring database flags
.
Verify that you have a valid service account key JSON file in
the location stored in the GOOGLE_APPLICATION_CREDENTIALS
environment variable and that the variable points to the correct location.
Create a new server certificate and rotate .
- The user might not have all the Cloud Storage permissions it needs.
- The database table might not exist.
Try these things ...
- Check that you have at least
WRITER
permissions on the bucket andREADER
permissions on the export file. For more information on configuring access control in Cloud Storage, see Create and Manage Access Control Lists - Ensure the table exists. If the table does exist, confirm that you have the correct permissions on the storage bucket.
The dump transaction can fail if you use the following statements during the export operation:
-
ALTER TABLE
-
CREATE TABLE
-
DROP TABLE
-
RENAME TABLE
-
TRUNCATE TABLE
Remove any of these statements from the dump operation.
temp_file_limit
flag is set too low for your database usage. Increase the temp_file_limit
size.
See Configuring database flags
.
Use the CSV format and run multiple, smaller export jobs to reduce the size and length of each operation.
max_connections
flag value too high can cause this
error. This can also be caused by enabling a flag out of sequence. Lower the max_connections
flag value, or contact customer support
to request a flag removal followed by a hard drain
.
This forces the instance to restart on a different host with a fresh configuration,
without the flag or setting.
- At the database level, the database user must exist and its password match
- At the project level, the user might not have the correct IAM permissions,
including the
serviceusage.services.use
orcloudsql.instances.connect
permissions. - At the network level, if the Cloud SQL instance is using public IP the connection's source IP must be in an authorized network.
Try these things ...
- Ensure the user exists and its password matches.
- Assign the
Service Usage Consumer
role to the user account. This role includes the permissionserviceusage.services.use
. - If using public IP, ensure the source IP is in an authorized network.
Until fixed, see this discussion on GitHub , which includes a workaround.
Unknown errors
The following table shows some known cases where an Unknown Error
can occur, and lists specific remedies where applicable. However, this is not
a complete list. If you don't find your case in the table, check with the public issue
tracker for Cloud SQL
.
If you don't find the issue there, consider submitting a report
, or reviewing other support options
.
- This can occur when you are trying to re-use the same name as a recently-deleted instance.
- It can also be caused by intermittent connectivity issues.
- The logs might show that the Service Networking API is not enabled for the project.
- The error has also been seen when trying to create multiple instances in parallel. For example, Terraform scripts make this attempt possible.
- Another cause can be that a specific resource is exhausted or
a quota limit has been exceeded. Look in the logs for an entry like
Quota 'INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK' exceeded. Limit: 100.0 globally
- This error can occur if subnet creation fails when there are no more available addresses in the IP range.
- Instance names cannot be re-used until about a week after deletion.
- In the case of intermittent connectivity issues, the only remedy is to try again.
- Enable the Service Networking API for the project.
- Parallel instance creation scripts will only succeed in creating one of the instances. Modify the script to wait until each instance create operation is complete before continuing to the next one.
- Allocate new ranges .
If the error is set Service Networking
service account as servicenetworking.serviceAgent role on consumer
project
, disable and re-enable the Service Networking API
.
This action creates the service account necessary to continue with the
process.
If the error is The instance creation failed due to a permission error with the
CMEK key defined
, review the key settings and location
.
Cloud SQL also uses some third-party binaries (for example, mysqld
), which can generate unknown error messages. Such errors are
internal to the third-party binaries and are outside the scope of Cloud SQL.
However, sometimes a more specific error can be found in the Cloud SQL log files
at around the same
time.
Also, sometimes it is an error codethat is unknown. In this case,
the complete message can be Unknown Error Code
.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-19 UTC.