CODEWITHSUNDEEP
google-cloud-run
engineer-x
engineer-x

Reputation: 3161

Can't access Google Run service with authenticated access

I have a Cloud Run service on a GCP project with access point URL https://reporting-intake-service-XXX-uc.a.run.app. And the service itself uses Pub/Sub to push a message.

Update: I have confirmed the issue is with the Pub/Sub invocation in the service and NOT the access to the service itself.

Dockerfile

FROM python:3
WORKDIR /app
COPY . .
RUN pip install -r requirements.txt
CMD python3 intake.py

intake.py

import logging
from flask import Flask, request
from google.cloud import pubsub_v1

app = Flask(__name__)


@app.route("/", methods=["POST"])
def intake():
    try:
        report = request.data
        publish_message(report)
        return "Thanks"
    except Exception as e:
        logging.error(e)
        return "ERROR"


def publish_message(report):
    publisher = pubsub_v1.PublisherClient()
    future = publisher.publish("projects/my-project/topics/reporting", report)
    logging.info(future.result())



if __name__ == "__main__":
    app.run(port=8080, host="0.0.0.0", debug=True)

Error message:

status = StatusCode.PERMISSION_DENIED 
details = "User not authorized to perform this action."

What I've tried:

Upvotes: 1

Views: 1457

Answers (1)

engineer-x
engineer-x

Reputation: 3161

Okay I solved it.

It turns out the Cloud Run service was made with the default Compute service account ###[email protected].

Cloud Run > click on service > REVISIONS > SECURITY

The IAM principle attached to ###[email protected] was deleted (by me for security purposes). So the underlying service I created on Cloud Run did not have access to PubSub.

I spent way too much time on this sh*t.

To be clear this is under the "Require authentication" schema.

Upvotes: 1

Related Questions