You have a Cloud Run service that needs to connect to a Cloud SQL instance in a different project. You provisioned the Cloud Run service account with the Cloud SQL Client IAM role on the project that is hosting Cloud SQL. However, when you test the connection, the connection fails. You want to fix the connection failure while following Google-recommended practices. What should you do?
Even though you have granted the Cloud SQL Client role to the Cloud Run service account, the connection can still fail if the Cloud SQL Admin API is not enabled in the project where your Cloud Run service resides. For cross-project connections, Google Cloud recommends that the Cloud SQL Admin API be enabled in both projects (the one hosting Cloud SQL and the one running Cloud Run) so that proper metadata and instance connection details can be retrieved. • Option A: The Cloud SQL Client role already includes the necessary cloudsql.instances.connect permission. • Option B: There’s no indication that you are hitting an API quota issue. • Option D: Migrating the Cloud SQL instance is unnecessary and not in line with best practices for cross-project communication. Thus, enabling the Cloud SQL Admin API in both projects resolves the connectivity issue.