Reputation: 5182
Google Cloud run / Trobleshooting pubsub 403
Just followed the tutorial available here, everything's clear; apparently nothing blocks
The configured run service iam :
gcloud beta run services get-iam-policy $CLOUD_RUN_INSTANCE_NAME
returns
bindings:
- members:
- serviceAccount:cloud-run-pubsub-invoker@$PROJECT_NAME.iam.gserviceaccount.com
role: roles/run.invoker
etag: BwWRVC2n5Ek=
version: 1
The subcribtion :
gcloud pubsub subscriptions describe $app_subscription
returns
ackDeadlineSeconds: 10
expirationPolicy:
ttl: 2678400s
messageRetentionDuration: 604800s
name: projects/$PROJECT_NAME/subscriptions/$app_subscription
pushConfig:
oidcToken:
serviceAccountEmail: cloud-run-pubsub-invoker@$PROJECT_NAME.iam.gserviceaccount.com
pushEndpoint: https://$CLOUD_RUN_INSTANCE_NAME-he6agqsita-ew.a.run.app/
However, The service don't accept anything from the pubsub trigger (keeps returning 403).
The tutorial does not explicitely tell one to add this role to a service accounts. But as experienced, the add-iam-binding command on the run instance does not seem to be the correct step to take
the Service account token creator is also correctly set on the pusub service account
This happens in a managed context, not gke. The run service is in europe
Is it missing on the tutorial ? Is that expected or am I missing something somewhere ?
Upvotes: 1
Views: 832
Answers (2)
Reputation: 75810
You need to grand the TokenCreate role to the pubsub service-agent service account
Here the command line that I use
gcloud projects add-iam-policy-binding <ProjectId> \
--role roles/iam.serviceAccountTokenCreator \
--member=serviceAccount:service-<ProjectNumber>@gcp-sa-pubsub.iam.gserviceaccount.com
Copy paste of the documentation in fact
Upvotes: 3
Reputation: 4194
In the section titled Integrating with Cloud Pub/Sub, there's a tab widget that asked you to select Cloud Run or Cloud Run on GKE.
For Cloud Run, step (a) is to use a command which associates the service account to the roles/run.invoker role in the context of a specific service.
gcloud beta run services add-iam-policy-binding pubsub-tutorial \
--member=serviceAccount:[email protected] \
--role=roles/run.invoker
This associates the invoker role with the service account, but only for the specified Cloud Run service. If you add this role to the service account generally it will be able to invoke any Cloud Run service. The tutorial takes the least privilege approach.
For Cloud Run on GKE, the invoker role is not supported, and the instructions in (d) ask that you add custom code to validate the ID Token sent as part of the Pub/Sub push request.
Upvotes: 1
Related Questions
- CloudRun Service to Service returning 403 After Setup
- Newly deployed cloud run app inaccessible, despite having requisite permissions (403)
- Google Cloud Run pubsub pull listener app fails to start
- What causing unreachable errors in Google PubSub?
- Intermittent authorization failure on publish
- Pubsub Authorization Issue
- Google Pubsub: UNAVAILABLE: The service was unable to fulfill your request
- PubSub service having issue?
- Google Cloud Pubsub authentication error from App Engine
- Google Pubsub API - 401 Error (The request does not have valid authentication credentials)