3

I have a shared VPC with a cloudSQL instance in it. In that host project I also have a serverless vpc connector, with id vpc-serverless-connector. It has 10.8.0.0/28 as ip range. I'm deploying my cloud functions with firebase deploy, a patched version (see https://github.com/firebase/firebase-functions/issues/552) where I set up the VPCConnector following this format:

vpcConnector:'projects/MY_HOST_PROJECT_ID/locations/MY_REGION/connectors/vpc-serverless-connector'

The functions are deployed in another project in the same region MY_REGION. That project has been given access to the sharedVPC.

When I deploy, I always get that error:

Missing necessary permission vpcaccess.connector.use for serviceAccount:service-MY_SERVICEID@gcf-admin-robot.iam.gserviceaccount.com on project MY_PROJECT.

Please grant serviceAccount:service-MY_SERVICEID@gcf-admin-robot.iam.gserviceaccount.com the roles/viewer role.

You can do that by running 'gcloud projects add-iam-policy-binding MY_PROJECT --member=serviceAccount:service-MY_SERVICEID@gcf-admin-robot.iam.gserviceaccount.com --role=roles/viewer'

I ran that command multiple times, I checked to be sure and the gcf-admin-robot iam serviceAccount in my firebase related project has all the necessary roles. It currently has: Viewer Serverless, VPC Access Admin Serverless, VPC Access User Serverless, VPC Access Viewer

So what's happening? What am I missing? I can't seem to be able to make that work. My goal is to be able to access the cloudSQL instance in my host-project of my shared-vpc from my firebase cloud functions in another project.

Note: I also tried deploying cloud functions directly without firebase and get the same error. So firebase should not be the issue here.

pcboy_
  • 71
  • 1
  • 5
  • Did you create the serverless VPC connector in the host project? What's your region? When you apply the grant command, what is `service-MY_SERVICEID` -> the projectID of the function? what is `MY_PROJECT` -> the host project? Could you try to add when you talk about HOST project or attached project? – guillaume blaquiere Jul 30 '20 at 19:35
  • Yes the VPC connector is in the host project. My region is us-central1. service-MY_SERVICEID is simply of the form service-655201204748@gcf-admin-robot.iam.gserviceaccount.com , I'm not sure what 655201204748 corresponds to internally. MY_PROJECT is not the host project, it's the project id of where the cloud function is located (is different from the vpc host project). If I talk about the host project I mention MY_HOST_PROJECT_ID. – pcboy_ Jul 31 '20 at 07:01
  • `655201204748` is the project number. I guess the host project, right? – guillaume blaquiere Jul 31 '20 at 11:26
  • 655201204748 is the project number of my firebase project where the cloud function resides. Not the vpc host project's. – pcboy_ Aug 01 '20 at 02:18
  • I also noticed there are no issues creating a cloud function connecting to the vpc serverless connector inside the vpc host project, works perfectly fine. Problem only happens when using cloud functions outside of that vpc host project. – pcboy_ Aug 03 '20 at 00:45

1 Answers1

4

I found the issue.
I forgot to add the MY_SERVICEID@gcf-admin-robot.iam.gserviceaccount.com from the service project inside the IAM of the host project.
You need to add this email as a member of the host project with the Cloud Functions Service Agent permissions.
Somehow I missed that part. Now everything works as expected.

pcboy_
  • 71
  • 1
  • 5