No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

It's worth testing with the credentials file in k8s, so you know your networking is working.

I think the 'connect' log you're seeing is actually the api for fetching a certificate, not an actual db connection.
<https://cloud.google.com/sql/docs/mysql/admin-api/rest#rest-resource:-v1.connect|https://cloud.google.com/sql/docs/mysql/admin-api/rest#rest-resource:-v1.connect>

Good news is, that means your workload identity is working :)

Thanks Anthony, I'll give that a go :slightly_smiling_face:

You're right about the connect log too, I saw further down it has

```request: {
  @type: "<http://type.googleapis.com/google.cloud.sql.v1.GenerateEphemeralCertRequest|type.googleapis.com/google.cloud.sql.v1.GenerateEphemeralCertRequest>"
...
}```

*Update:*
I updated the Job code, hardcoding JSON Service Account credentials to verify that what works locally isn't working in GKE (it still didn't work in GKE).

I then stripped back the cluster configuration to the bare essentials and removed the cluster network / subnet setup.

Once I did this, the job connected to CloudSQL :slightly_smiling_face:

So, I guess I'll have to do some reading up on networks / cluster configs. For now I'm happy that I can talk to the DB!

Glad you managed to narrow it down.

I've got to do all this for my clusters soon. Absolutely dreading it, all the network configs are currently commented out :rolling_on_the_floor_laughing:

Hoping this will help: <https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview|https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview>