Google Cloud PubSub - Regional endpoint auth issue

Question

I want to create a publisher for google cloud Pub/Sub that publish to a regional endpoint.

This is the code I am running(pretty much the code from the quickstart guide):

using Google.Cloud.PubSub.V1;
using Grpc.Core;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using static Google.Cloud.PubSub.V1.PublisherClient;

namespace PubSub
{
    class PubSubProducer
    {
        public async Task<int> PublishMessagesAsync(string projectId, string topicId, IEnumerable<string> messageTexts)
        {
            var creationSettings = new ClientCreationSettings(credentials: await GoogleGrpcCredentials.GetApplicationDefaultAsync().ConfigureAwait(false),
                                                                serviceEndpoint: "us-central1-pubsub.googleapis.com");

            var customSettings = new PublisherClient.Settings
            {
                EnableMessageOrdering = true
            };

            TopicName topicName = TopicName.FromProjectTopic(projectId, topicId);
            PublisherClient publisher = await PublisherClient.CreateAsync(topicName, clientCreationSettings: creationSettings, settings: customSettings);

            int publishedMessageCount = 0;
            var publishTasks = messageTexts.Select(async text =>
            {
                try
                {
                    string ordering_key;
                    if (int.Parse(text) > 5)
                        ordering_key = "a";
                    else
                        ordering_key = "b";
                    string message = await publisher.PublishAsync(ordering_key, text);
                    Console.WriteLine($"Published message {message}");
                    Interlocked.Increment(ref publishedMessageCount);
                }
                catch (Exception exception)
                {
                    Console.WriteLine($"An error ocurred when publishing message {text}: {exception.Message}");
                }
            });
            await Task.WhenAll(publishTasks);
            return publishedMessageCount;
        }
    }
}

I would like to use the ordering feature so I need the messages to be in the same region.

This code returns:

An error ocurred when publishing message 9: Status(StatusCode="Unauthenticated", Detail="Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1608719160.348000000","description":"Error received from peer ipv4:<IP>","file":"T:\src\github\grpc\workspace_csharp_ext_windows_x64\src\core\lib\surface\call.cc","file_line":1062,"grpc_message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","grpc_status":16}")

When I am not suppling a regional endpoint it works fine:

var creationSettings = new ClientCreationSettings(credentials: await GoogleGrpcCredentials.GetApplicationDefaultAsync().ConfigureAwait(false));

It seems like my service account missing a permission to use this regional endpoint.

How can I fix this? What permissions am I missing?

Answer 1

The issue was with how I created the ClientCreationSettings.

The correct way for publisher:

var clientCreationSettings = new PublisherClient.ClientCreationSettings(serviceEndpoint: "us-central1-pubsub.googleapis.com:443");

For subscriber:

var clientCreationSettings = new SubscriberClient.ClientCreationSettings(serviceEndpoint: "us-central1-pubsub.googleapis.com:443");