Troubleshoot AlloyDB Auth Proxy connections

This page lists troubleshooting tips in case you run into problems using the AlloyDB Auth Proxy.

If you are having trouble connecting to your AlloyDB instance using the AlloyDB Auth Proxy, here are a few things to try to find what's causing the problem.

  • Check the AlloyDB Auth Proxy output carefully and look for errors. Often, the error messages provide the information you need determine the source of the problem and how to solve it.

  • If you are getting a 403 Forbidden error, and you are using a service account to authenticate the AlloyDB Auth Proxy, make sure the service account has the correct permissions.

    The predefined AlloyDB roles that provide these permissions are Cloud AlloyDB Client (roles/alloydb.client) and Cloud AlloyDB Admin (roles/alloydb.admin). In addition, you must add the Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) role.

  • Make sure to enable the AlloyDB Admin API.

    If it is not enabled, you see output like Error 403: Access Not Configured in your AlloyDB Auth Proxy logs.

  • If you are connecting using UNIX sockets, confirm that the sockets were created by listing the directory you provided when you started the AlloyDB Auth Proxy.

  • If you have an outbound firewall policy, make sure it allows connections to port 5433 on the target AlloyDB instance.

  • Quota issues: If you see errors related to quotas being exceeded, either identify the source of the quota problem (for example, an application is misusing the connector and unnecessarily creating new connections) or contact support to request an increase to the AlloyDB Admin API quota.

  • If you get a 400 Bad Request response with an error message containing reauth related error, refresh your gcloud application default credentials:

    gcloud auth application-default login

    For more information, see How Application Default Credentials works.