Cloud Run: Connecting to a CloudSQL database on another GCP Project

Question

I am having trouble connecting my [Project A] Cloud Run instance to a [Project B] Cloud SQL instance.

I already set up the service account permissions as told on this article: https://cloud.google.com/sql/docs/mysql/connect-run

Which are like this:

• I created a service account on [Project B] that has Cloud SQL Admin and Cloud SQL Client permissions.
• I created a service account on [Project A] for the Cloud Run instance, this account has a user role on the service account for [Project B]

Both projects have the Cloud SQL Admin API active, and if I build the same Cloud Run instance on [Project B] it connects without any hitches, so I imagine this is a permission issue.

The error I get on the logs from [Project A] Cloud Run is: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

Answer 1

I replicated your error and managed to fix it without creating a Service Account manually on project A (Cloud Run) and project B(Cloud SQL).

When you deploy a service in Cloud Run, it uses the default Compute Engine service account which is like this: project-number-compute@developer.gserviceaccount.com.

Then I open the Cloud IAM page on project B where the Cloud SQL is located then I grant the role of Service Account from Project A (Cloud run) with a Cloud SQL Client or Cloud SQL Admin permission.

Sample screenshot of Project B Cloud IAM Page where I grant the project-number-compute@developer.gserviceaccount.com service account from Cloud Run:

You can also see what Service Account your Cloud run uses in revisions tab -> Security tab