Let's say a Google Cloud Function is running in project "foo", and we want it to use a VPC Connector in project "bar". Is that possible? The motivation is not to have to set up a separate VPC Connector in Project foo with a monthly cost, since usage is so low.
I tried doing this, but get an error when deploying the function using
gcloud functions deploy my-function --vpc-connector=projects/bar/locations/us-central1/connectors/my-connector
First I got the following error:
ERROR: (gcloud.functions.deploy) OperationError: code=7, message=Missing necessary permission vpcaccess.connectors.use for serviceAccount:service-{foo-project-number}@gcf-admin-robot.iam.gserviceaccount.com on project fareclockdev-billing.
Please grant serviceAccount:service-{foo-project-number}@gcf-admin-robot.iam.gserviceaccount.com the roles/vpcaccess.user role.
You can do that by running 'gcloud projects add-iam-policy-binding foo --member=serviceAccount:service-{foo-project-number}@gcf-admin-robot.iam.gserviceaccount.com --role=roles/vpcaccess.user'
So I granted that service account as well as the function's service account (different) the vpaccess.user role in both foo and bar projects. But now I'm getting the following different error:
ERROR: (gcloud.functions.deploy) OperationError: code=7, message=Missing necessary permission for service-{foo-project-number}@gcf-admin-robot.iam.gserviceaccount.com on resource foo. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.
Is it possible for this scenario to work?
An additional note is that actually the VPC Connector connects to a network in a 3rd project (call it baz). Not sure if that has any bearing here or not. But I do have functions running in project bar that have no problem using the connector access a redis service in project baz.
Thanks.
I tested this in the user interface and found information that suggests it's possible to use a VPC connector from different projects. However, I'm still uncertain if this message is specifically related to a shared VPC, as all the documentation I've come across addresses the use of a VPC connector from a shared VPC.
For instance, in one piece of documentation link, it outlines the configuration of a cloud function to use a VPC connector, but it appears to be intended for shared VPCs exclusively.
Nonetheless, in a screenshot captured during the creation of a cloud build and the association of a VPC connector, it states, 'The PROJECT_ID must be the same project where your resource is deployed, or a project sharing a VPC with it, where the connector is created.'
The error messages you're encountering in the second error message suggest there may be issues with permissions and roles, although it doesn't specify which role or permission is missing. I recommend referring to this link to check and attempt the permissions and roles detailed in the documentation.