5

I am having trouble connecting my [Project A] Cloud Run instance to a [Project B] Cloud SQL instance.

I already set up the service account permissions as told on this article: https://cloud.google.com/sql/docs/mysql/connect-run

Which are like this:

  • I created a service account on [Project B] that has Cloud SQL Admin and Cloud SQL Client permissions.
  • I created a service account on [Project A] for the Cloud Run instance, this account has a user role on the service account for [Project B]

Both projects have the Cloud SQL Admin API active, and if I build the same Cloud Run instance on [Project B] it connects without any hitches, so I imagine this is a permission issue.

The error I get on the logs from [Project A] Cloud Run is: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

Improve this question
3
  • I don't get this at all this account has a user role on the service account for [Project B] Can you clarify this? Commented Jul 12, 2022 at 18:17
  • The service account for the cloud run instance has a Service Account User permission on the cloud sql service account, I imagine this is how you link both of them Commented Jul 12, 2022 at 18:29
  • 2
    Actually not, the Service Account created in [Project A] should have Cloud SQL user role in [Project B] unless you want to impersonalize the SA from project B using the one in Project A. If you want to impersonalize can you show the code you're using for this? Commented Jul 12, 2022 at 18:38

1 Answer 1

Reset to default
8

I replicated your error and managed to fix it without creating a Service Account manually on project A (Cloud Run) and project B(Cloud SQL).

When you deploy a service in Cloud Run, it uses the default Compute Engine service account which is like this: [email protected].

Then I open the Cloud IAM page on project B where the Cloud SQL is located then I grant the role of Service Account from Project A (Cloud run) with a Cloud SQL Client or Cloud SQL Admin permission.

Sample screenshot of Project B Cloud IAM Page where I grant the [email protected] service account from Cloud Run: enter image description here

You can also see what Service Account your Cloud run uses in revisions tab -> Security tab

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks so much!!, that fixed the problem. I thought I needed a service account and couldn't do it directly on the IAM page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.