Troubleshooting

Troubleshooting Google Cloud SQL

Cloud SQL-specific issues: cloudsql.* flags, IAM service account, private IP.

cloudsql.enable_* flag added but extension still missing

Setting cloudsql.enable_pg_cron=on (or any similar flag) requires an instance restart before the extension is available. Cloud SQL handles the restart automatically when you save the flag, but the restart can take 1-5 minutes. CREATE EXTENSION won't work during that window. If the flag is saved but you're still getting "extension not available", give it a few minutes and retry.

Service account permission denied on logs

The service account MonPG uses needs both:

  • roles/logging.viewer at the project level (or roles/logging.viewAccessor on a specific log bucket).
  • roles/cloudsql.viewer at the project or instance level so we can describe the instance.

Missing the second one is the more common silent failure — logs work but instance metadata is wrong.

Private IP only — hosted fleet can't reach

Cloud SQL with private IP is only reachable from within the same VPC. Our hosted fleet runs in Azure, so it can't reach a GCP private IP directly. Two options. Add a public IP to the instance and restrict it to MonPG's egress range — keeps you on hosted but exposes a public surface (locked down). Or switch to agent mode and run the agent inside your GCP VPC, which keeps your DB private.

Most security-conscious teams pick agent. The "public IP with allowlist" option is fine if your security review is OK with it.

Cloud SQL Auth Proxy

If you use the Auth Proxy in your application stack, you don't need it for MonPG. The collector connects directly via TCP/TLS like any regular client. Keep the proxy for your app where IAM-based connection makes sense; MonPG uses standard libpq connections.

auto_explain on Cloud SQL

The path is slightly different from self-hosted because of how Cloud SQL handles SPL. Set the cloudsql.enable_auto_explain flag — Cloud SQL pre-loads auto_explain via this flag rather than via direct SPL editing. Restart the instance. Then the auto_explain.log_* parameters can be set as regular flags. Logs go to Cloud Logging, which MonPG reads for plan capture.