403 error when trying to list metrics in different project through monitoring api from app engine

[B]

I am using an app engine standard application written in python2.7 to collect monitoring metrics from different projects. I am running this from cloud shell The app engine application is deployed in projectA and it is able to collect the metrics from projectA through the below call

service = build('monitoring', 'v3', cache_discovery=True)
    project_name = 'projects/{project_id}'.format(
        project_id=project_id
    )

    metrics = service.projects().metricDescriptors().list(
         name=project_name,
         pageSize=config.PAGE_SIZE,
         pageToken=next_page_token
    ).execute()

This call is written in a loop, Now i need to collect ProjectB metrics, I have owner access to ProjectB. When ProjectB is passed as parameter to project_id I am getting this below error:

                        logMessage: "Error: <HttpError 403 when requesting https://monitoring.googleapis.com/v3/projects/ProjectB/metricDescriptors?pageToken=&alt=json&pageSize=500 returned "Permission monitoring.metricDescriptors.list denied (or the resource may not exist).">"     
severity: "ERROR"     
sourceLocation: {
 file: "/base/data/home/apps/s~ProjectA/list-metrics:20200706t123743.427891295940019389/main.py"      
 functionName: "post"      
 line: "665"      
}
time: "2020-07-06T16:10:43.724399Z"

I am not sure what should be done to make this work? I am very new to google cloud and its apis and also new to app engine,python2.7 kindly help, Thanks

[Olu]

As you may already know, GCP Projects represent a trust boundary within an organization. Hence, inter-project communication between App Engine services would require Public IP communication or using Shared VPC[1]. So, depending on your setup, there really should be no internal communication between App Engine Services or Other GCP services over different projects. 

Additionally, about using Public App Engine IP addresses, as illustrated in this document [2] App Engine hosts services on a dynamic public IP address of a Google load balancer. Due to that, the IP address can be changed any time and any Static IP can not be provided.  For outbound services, a large pool of IP addresses are used which you can obtain as outlined in this document[3].

With all that being said, can you shed more light about the metrics being collected? The metrics are for an App Engine application in Project B or where? What product's metrics exactly are you looking to pull? 

[1]https://cloud.google.com/vpc/docs/shared-vpc

[2]https://cloud.google.com/appengine/kb/#private-ip

[3]https://cloud.google.com/appengine/kb/#static-ip

[4]https://cloud.google.com/logging

[5]https://cloud.google.com/monitoring