Google Cloud Pub/Sub Pull PERMISSION_DENIED

Question

I have Google Cloud SDK in my local machine, and when I run the command:

gcloud beta pubsub subscriptions pull --auto-ack MY_SUBSCRIPTION_NAME

It works just fine and I can see the messages.

But, if I do the same thing in the GCE VM I created, I get the following error:

ERROR: (gcloud.beta.pubsub.subscriptions.pull) PERMISSION_DENIED: User not authorized to perform this action.

I've tried several things already, like:

• Stop the instance and add a Service Account;

• Make my instance "Allow full access to all Cloud APIs";

• Do sudo yum update google-cloud-sdk

I don't know what else to try to make it work. Any ideas? Please give me a light here.

Answer 1

Some times you just need to implement a provide class to set autorization like CustomCredentialsProvider -> take a look at google documentation.

Answer 2

You should go to the Cloud console subscriptions page and ensure that your service account has the "Pub/Sub Subscriber" permission on the subscription. When you are on the subscriptions page, you can click the check box next to the subscription and then the following will appear on the right of the screen:

Ensure that your service account is in the circled section and if it is not, add it. To do so, type in the service account under "Add members" and in the "Select a role" dropdown, choose "Pub/Sub Subscriber" and then click the "Add" button. Note that to add the service account, you will need to be logged into the Cloud console with an account that has the Owner or Pub/Sub Admin per the Pub/Sub access control rules.

This is not the same as selecting "Allow full access to all Cloud APIs." That feature indicates which APIs the GCE instance can acccess; it does not affect the authentication of the service account for accessing the desired resource (e.g, subscription) through those APIs.

It is likely that this worked through the gcloud command line tool because you were authenticated with the Google account that was used to create the subscription.