Access SQL from a cloud function in another project
My situation is simple.
I have a Google Cloud Function in Project A accessing a PostgreSQL instance in Project A. It works great.
Now I need another Google Cloud Function from project B to access the PostgreSQL instance in project A.
I have been staring at this in Google documentation and I just can't parse it:
If the authorizing service account belongs to a different project than the Cloud SQL instance, enable the Cloud SQL Admin API, and add the IAM permissions listed above, on both projects.
I understand that the service account for my Cloud Function in Project B needs to have the IAM permissions. (If so, is it possible to restrict the Cloud SQL permissions only to the database in Project A?)
Do I understand correctly that I need to:
- Create a service account in Project A (where the SQL lives) that has the same IAM permissions
- Add the service account from Project B as a principal to the service account in Project A?
Solution 1:
There is no need to create a new service account, analyse it like this: Project A have to allow the access to project B. As the cloud functions use the App Engine default service account, you have to allow this account (from project B) in the project where your database runs (Project A).
So:
On project B:
- Enable the sql API, you can click here to do that
->chooseproject B. - Enable cloud Functions api;
- In IAM section, copy the email of the App Engine default service account:
<PROJECT_B_ID>@appspot.gserviceaccount.com
On project A (where postgresql resides):
- Add
Cloud SQL Clientrole to App Engine default service account (Name=App Engine default service account) ofproject B, which is something like this<PROJECT_B_ID>@appspot.gserviceaccount.com