diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf
index 9824e62c..f5d38787 100644
--- a/modules/regional-go-service/main.tf
+++ b/modules/regional-go-service/main.tf
@@ -155,3 +155,16 @@ resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthent
   role     = "roles/run.invoker"
   member   = "allUsers"
 }
+
+// Grant service account access to use subnet. This is typically granted with roles/run.serviceAgent,
+// but that role does not necessarily grant access if the network resides in another project.
+// See https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#direct-vpc-service for more details.
+resource "google_compute_subnetwork_iam_member" "member" {
+  for_each = var.regions
+
+  project    = var.network-project ? var.network-project : var.project_id
+  region     = each.key
+  subnetwork = each.value.subnet
+  role       = "roles/compute.networkUser"
+  member     = "serviceAccount:${var.service_account}"
+}
diff --git a/modules/regional-go-service/variables.tf b/modules/regional-go-service/variables.tf
index b20aa30b..9e193973 100644
--- a/modules/regional-go-service/variables.tf
+++ b/modules/regional-go-service/variables.tf
@@ -88,3 +88,9 @@ variable "volumes" {
   }))
   default = []
 }
+
+variable "network-project" {
+  description = "The project in which the network and subnetworks reside. If not specified, var.project is used."
+  type        = string
+  default     = null
+}