Error use vpc with cloud run

alessandropcs · 09-07-2022 04:13 AM

Hello person, I'm getting this error for 3 days and I don't know what else to do, i used to create a vpc without a server in my host project, and i'm trying to use it in my other project with cloud run, but when i select the vpc and try to deploy new version, i get this error: "Please ensure the project's service agent has the permission [vpcaccess.connectors.use] for action Connect on resource projects/shareddatabase/locations/us-central1/connectors/shared-database-connector. See https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#shared-vpc. "

I have already released all possible permissions and it doesn't work, idon't know what to do, help me please

comaro

Cloud Run Service Agent will also need the Serverless VPC Access User IAM role on the host project. Please note, some developers confuse the Service Agent with some other Service Account.

Are you also using Cloud Functions? What is the workflow of your projects?

Dedaimia

We've had the same problem with cloud run and VPC connectors on another project. There's a Cloud Run Service Agent account that is automatically created on each project when you enable cloud run. That is the account that needs access. If your cloud run instance is on Project B, and the vpc access connector is on project A, then the cloud run service agent account on project B needs to be given IAM access to the VPC connector on project A.

Step 1: find the cloud run service agent account on project B.
It's name will be [project A number]@serverless-robot-prod.iam.gserviceaccount.com
You should be able to find it in the IAM & Admin page for project B if you check the "Include Google-provided role grants" checkbox at the upper right above the filter.

Step 2: Grant it the cloud run service agent account from Step 1 IAM access to the VPC network/subnetwork in Project A
My team does this via terraform, so I can't give you specific instructions for the console, but you should be able to do it
from the console VPC Network->Shared VPC page. Put a checkmark next to the network/subnetwork that you want to grant access on, and manage permissions in the panel to the right. You may have to click "show permissions panel" at upper right if you have it hidden.

jamescf

I'm having the same problem. I am deploying to Cloud Run Jobs, and my objective is to specify a custom service account and a VPC connector. I've tried with both the custom service account and the default one. In the case of the default service account, I get the error

Internal system error, system will retry later.

while creating the Cloud Run Job before timing out. In the case of the custom service account, the job creates but when it runs I get the error:

X Please ensure the project's service agent has the permission [vpcaccess.connectors.use] for action
Connect on resource projects/{PROJECT_ID}/locations/{REGION}connectors/{CONNECTOR_NAME}.
See https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#shared-vpc.

I have found the service account following the pattern service-[project number]@serverless-robot-prod.iam.gserviceaccount.com from the service project and given it the Serverless VPC Access User IAM role on the VPC host project. I've also given it subnet access in the host project as pointed out in step 2 above. I've also done the same for my custom service account.

Despite all of this, the error doesn't change...

Any ideas?