What are the IAM permissions required for an App engine service account to connect with a CloudSQL with Private IP?

Question

1. I created a CloudSQL instance with Private IP in the us-central1 region.
2. The cloud SQL instance is accessible for a Compute Engine VM.
3. I created a serverless VPC connector in the us-central1 region.
4. I deployed a cloud-run app with a serverless VPC connector that was able to connect to the CloudSQL instance successfully.
5. I deployed the same docker container in my App engine. Now I experienced a Cloud SQL connection timeout error.

The service account used by my App engine has the following permission:

• Artifact registry reader
• Logs Writer

App Engine deployment config file (app.yaml)

service: demo-app
runtime: custom
env: flex

manual_scaling:
  instances: 1
resources:
  cpu: 1
  memory_gb: 0.5
  disk_size_gb: 10

vpc_access_connector:
  name: projects/<PROJECT_ID>/locations/<REGION>/connectors/sample-connector

service_account: app-engine@<PROJECT_ID>.iam.gserviceaccount.com

Answer 1

Because you use App Engine Flex, you have to specify the network in your configuration. The VPC access connector has no effect here.

If you set correctly the network, the same as your Cloud SQL instance is connected, simply use the Cloud SQL private IP and directly access to your database.