I have a shared VPC with a cloudSQL instance in it. In that host project I also have a serverless vpc connector, with id vpc-serverless-connector. It has 10.8.0.0/28 as ip range. I'm deploying my cloud functions with firebase deploy, a patched version (see https://github.com/firebase/firebase-functions/issues/552) where I set up the VPCConnector following this format:
vpcConnector:'projects/MY_HOST_PROJECT_ID/locations/MY_REGION/connectors/vpc-serverless-connector'
The functions are deployed in another project in the same region MY_REGION. That project has been given access to the sharedVPC.
When I deploy, I always get that error:
Missing necessary permission vpcaccess.connector.use for serviceAccount:[email protected] on project MY_PROJECT.
Please grant serviceAccount:[email protected] the roles/viewer role.
You can do that by running 'gcloud projects add-iam-policy-binding MY_PROJECT --member=serviceAccount:[email protected] --role=roles/viewer'
I ran that command multiple times, I checked to be sure and the gcf-admin-robot iam serviceAccount in my firebase related project has all the necessary roles. It currently has: Viewer Serverless, VPC Access Admin Serverless, VPC Access User Serverless, VPC Access Viewer
So what's happening? What am I missing? I can't seem to be able to make that work. My goal is to be able to access the cloudSQL instance in my host-project of my shared-vpc from my firebase cloud functions in another project.
Note: I also tried deploying cloud functions directly without firebase and get the same error. So firebase should not be the issue here.
service-MY_SERVICEID-> the projectID of the function? what isMY_PROJECT-> the host project? Could you try to add when you talk about HOST project or attached project? - guillaume blaquiere655201204748is the project number. I guess the host project, right? - guillaume blaquiere