I have a service in Cloud Run in project x that needs to access a VM instance, which I am allowing access to using a serverless VPC connector (created in a host project). My problem, while following this guide is that there appears to be a permission issue when deploying a new revision in Cloud Run (running in a service project):
Please ensure the project's service agent has the permission [vpcaccess.connectors.use] for action Connect on resource projects/.../connector
It is very important to closely read the documentation found here, specifically this portion:
On the host project, grant principals who deploy Cloud Run services the Serverless VPC Access Viewer (
vpcaccess.viewer) role.
- Open the
IAMpage.- Click the project dropdown menu and select the host project.
- Click Add.
- In the
New principalsfield, enter the email address of the principal that should be able to see the connector from the service project. You can enter multiple emails in this field.- In the
Rolefield, selectServerless VPC Access Viewer.
Looking back at the error message, it seems to suggest that the Cloud Run service account is having trouble accessing the VPC connector in the host project. So, by adding the Cloud Run service account from the service project in the host project's IAM page with the Serverless VPC Access Viewer permission, Cloud Run's service account was able to access the connector in an outside project, and I was able to successfully re-deploy Cloud Run using the serverless shared VPC connector.
Note that once you add this permission, in the IAM page the name should say something like "Google Cloud Run Service Agent for Project SERVICE-PROJECT-ID".