I have an Angular SSR project deployed to Firebase App Hosting. The project includes an Express server.

From my Express server code, I'm trying to authenticate to ADC to initialize a pub/sub client. I've installed and imported @Google-cloud/pubsub.

import { PubSub } from "@google-cloud/pubsub";
const pubSubClient = new PubSub({ projectId: "main-project" });

Note that the this App Hosting project is in a separate Google cloud project, called e.g. "sub-project".

The server runs fine without this PubSub initialization code, and the only intelligible error i see when i run the server is "Sorry, we cannot connect to Cloud Services without a project".

On local, I've installed gcloud, set the gcloud project to "main-project", and set the local GOOGLE_APPLICATION_CREDENTIALS env variable pointing to a service account config. The service account was created in main-project with the role "Pub/Sub Subscriber". 

I've also tried hard-coding the credentials from the service account object to test, e.g.:

  // service account object from JSON key
const serviceAccountConfig = {
  type: "service_account",
  project_id: "main-project",
  private_key_id: "[sanitized]",
  private_key:
    "-----BEGIN PRIVATE KEY-----[sanitized]-----END PRIVATE KEY-----\n",
  client_email: "example_service_account@main-project.iam.gserviceaccount.com",
  client_id: "[sanitized]",
  auth_uri: "https://accounts.google.com/o/oauth2/auth",
  token_uri: "https://oauth2.googleapis.com/token",
  auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs",
  client_x509_cert_url:
    "[sanitized]",
  universe_domain: "googleapis.com",
};
const pubSubClient = new PubSub({
  projectId: "main-project",
  credentials: {
    client_email: serviceAccountConfig.client_email,
    private_key: serviceAccountConfig.private_key,
  },
});

Same error, both on local and when deployed to app hosting.

Am I missing a step to authenticating? Is there something else I need to do to authenticate across projects?