Unkown failure to associate VPC connector in service project with shared VPC subnet in main project

Question

When trying to associate a VPC connector in a service project with a shared VPC subnet in another project (From the same organization) the following error appears:

Unknown error. Original error message: Operation failed: VPC Access did not have permission to resolve the subnet or the provided subnet does not exist.

We tried past what is acceptable for permission propagation as pointed in this other post: GCP Shared VPC : a subnet is not shared from host project to service project, we definitely waited more than 20min and the error persisted.

Answer 1

To create a Serverless VPC Access Connector using a Shared VPC first create the subnet in the Host Project of a Shared VPC with CIDR 28, there has to be a unique subnet for each Connector.

Then follow Googles Documentation Configuring the host project if using Shared VPC, specifically the following sections.

1. Create Firewall Rules

we have to also create firewall rules to allow requests from the following IP ranges to reach the connector and to be reached by the connector:

NAT ranges 107.178.230.64/26 and 35.199.224.0/19

Health check ranges 130.211.0.0/22, 35.191.0.0/16 and 108.170.220.0/23

2. Grant Permissions

Also for each service project that will use VPC Connectors, a Shared VPC Admin must grant the Compute Network User role (compute.networkUser) in the host project to the service project cloudservices and vpcaccess service accounts.