I have a Pub/Sub topic with a push subscription. I want my AppEngine app to be called when a message published to the topic.
Here's how I created the subscription:
subscriber.create_subscription(
name=subscription_name,
topic=pubsub_topic,
push_config=pubsub_v1.types.PushConfig(
push_endpoint=f'my_gae_app_hostname/api/update',
oidc_token=pubsub_v1.types.PushConfig.OidcToken(
service_account_email=f"{project_id}@appspot.gserviceaccount.com")))
My GAE app is behind Identity-Aware Proxy (IAP). Without IAP everything works fine. But if IAP is enabled GAE isn't being called. There's no any errors in logs. In Cloud Console, on Pub/Sub Subscriptions page, I just can see that there're undelivered messages (on Overview's graph).
IAP has a principal for GAE default account which I use for subscription (service_account_email)
I granted Pub/Sub SA with iam.serviceAccountTokenCreator role (though according the docs it's not needed anymore):
gcloud projects add-iam-policy-binding $PROJECT_ID
--member="serviceAccount:[email protected]"
--role=roles/iam.serviceAccountTokenCreator
I tried creating a separated SA as well (as suggested in this answer), it didn't help.
CodePudding user response:
You have to specify the correct audience. WHen you use App Engine and IAP the audience is unusual. I wrote an article where you can find the correct value to set.
To speed up your search, here the most important info:
- The audience have that pattern
<PROJECT_NUMBER>-<HASH>.apps.googleusercontent.com - The audience is the IAP client ID. You can find it by going to
API & Servicesand selectCredentials. Look at theOAuth 2.0 client IDsand look forIAP-App-Engine-appline and copy theClient ID