I have a shared VPC host project with an attached service project that I am configuring Cloud Run functions on. 

When I use a serverless VPC subnet access connector(subnet created on the shared vpc host project) I have no issues.

But when I try to use the new "Send traffic directly to a VPC" option with a new subnet I am constantly blocked by a permissions error for being unable to use the subnet. I have tried using both the builtin service account as well as a manual service account I created. Both were granted the Compute Network User role on the shared vpc host project for the relevant subnet.

Any ideas?

"Revision 'ffdsafsdaf-00001-k5h' is not ready and cannot serve traffic. Access to the subnetwork shared-vpc-cloudrun-10-160-60-0 is not allowed."