Reputation: 5
cloud run - 403 User not authorized to perform this action (PUB/SUB)
I am having a service account attached to my cloud run which has access to services like secrets and api-keys.
I have recently added a new roles like pub sub publisher and get topics and list topics to my service account. From local when i use the keyfile of the service account i am able to send data to the pub sub topic.
But when I deploy the application in cloud run which does the same job of sending messages to pub sub , the application is failing with the below error
Traceback (most recent call last): File "/usr/local/lib/python3.10/site-packages/google/cloud/pubsub_v1/publisher/_batch/thread.py", line 274, in _commit response = self._client._gapic_publish( File "/usr/local/lib/python3.10/site-packages/google/cloud/pubsub_v1/publisher/client.py", line 267, in _gapic_publish return super().publish(*args, **kwargs) File "/usr/local/lib/python3.10/site-packages/google/pubsub_v1/services/publisher/client.py", line 794, in publish response = rpc( File "/usr/local/lib/python3.10/site-packages/google/api_core/gapic_v1/method.py", line 113, in call return wrapped_func(*args, **kwargs) File "/usr/local/lib/python3.10/site-packages/google/api_core/retry.py", line 349, in retry_wrapped_func return retry_target( File "/usr/local/lib/python3.10/site-packages/google/api_core/retry.py", line 191, in retry_target return target() File "/usr/local/lib/python3.10/site-packages/google/api_core/timeout.py", line 120, in func_with_timeout return func(*args, **kwargs) File "/usr/local/lib/python3.10/site-packages/google/api_core/grpc_helpers.py", line 67, in error_remapped_callable your textraise exceptions.from_grpc_error(exc) from exc google.api_core.exceptions.PermissionDenied: 403 User not authorized to perform this action.
The below part is the same code which i am using locally and from cloud run application
from google.cloud.pubsub_v1 import PublisherClient
data = {"a" : 'apple',"b" : 700}
final_data = json.dumps(data).encode("utf-8")
publisher_client = PublisherClient()
topic_path = publisher_client.topic_path(project-id,topic-name)
future = publisher_client.publish(topic_path, final_data)
I can see the inherited permissions in the gcp console of the topics. The interesting part is , the cloud run is working in the lower environment. But In a different environment with the same access, the cloud run is failing. Both the environments has its own service accounts with exact same access.
Upvotes: 0
Views: 1189
Answers (1)
Reputation: 5
I made a really silly mistake, When reading config files for pub sub alone i was reading the dev file (i missed loading environment variable so by default it pick dev). So i was trying to access a different project pub sub , this is the reason i got 403 user doesnt have access error.
Upvotes: 0
Related Questions
- GCP Spanner can't set DatabaseDialect while creating a database
- GCP AI Platform (unified) Python export_model FailedPrecondition: 400 Exporting artifact in format `` is not supported
- google.api_core.exceptions.PermissionDenied: 403 The caller does not have permission debug_error_string = "UNKNOWN:Error received from peer
- Bigqueryreservation gives an 400 Invalid Argument Error when creating an assignment
- Deploying to cloud run from bitbucket pipeline cause google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project None
- How does command 'KEYS *' impact redis memory management?
- google.api_core.exceptions.ServiceUnavailable: 503 Deadline Exceeded
- Google Cloud Function pulling from Pub/Sub subscription throws exception - Deadline Exceeded
- ServiceUnavailable: 503 failed to connect to all addresses during attempt to recognize audio