compute.networks.get to create GCP Instance group from a Shared VPC service project?

Question

GCP with Shared VPC and a host project and a service project:

I configured a Shared VPC host project and shared a VPC and subnets to a Service project and an user (compute network User Role).

If I create a VM usign a subnet from the host project I can do it without any problem but when I try creating an instance group from the service project I receive the following error:

Required 'compute.networks.get' permission for 'projects/[HOST PROJECT ID]/global/networks/vpc-host-network'

The only solution I could find was to assign the the Compute network viewer role to the service project user for whole HOST project.

Trying to assign the compute network User Role to the Compute engine service account in the service project didn't help and looks to me GCP documentation doesn't mention this.

Do you know if this is something expected and is it documented anywhere?

Thanks

EDIT: Please note that this is relevant only for unmanaged instance groups, for managed instance groups instead is working without problems.

Worth to mention that for managed instance groups in service projects, is necessary to have the Google APIs Service Agent ([PROJECT NUMBER]@cloudservices.gserviceaccount.com) account from the service project as a compute network user account in the HOST project for the necessary subnets

Answer 1

Seems to be a related to this one:

With shared VPC, you need to allow users/serviceAccounts in the service project to use the sub-network with a google_compute_subnetwork_iam_binding resource using roles/compute.networkUser role.

see: https://github.com/terraform-providers/terraform-provider-google/issues/1711