Google-cloud-go: pubsub: Unauthenticated error

Created on 12 Aug 2019  路  3Comments  路  Source: googleapis/google-cloud-go

Client

PubSub

Describe Your Environment

Cloud function

Expected Behavior

Message published to the topic

Actual Behavior

Getting error:

rpc error: code = Unauthenticated desc = transport: compute: Received 500 `Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fpubsub

I used this code to test:

package testfcn

import (
    "log"
    "net/http"

    "cloud.google.com/go/pubsub"
)

func TestFcn(w http.ResponseWriter, r *http.Request) {

    ctx := r.Context()

    client, err := pubsub.NewClient(ctx, "min-fotball-staging")
    if err != nil {
        log.Print(err)
        return
    }

    topic := client.Topic("TestTopic")

    result := topic.Publish(ctx, &pubsub.Message{
        Data: []byte("TestMessage"),
    })

    _, err = result.Get(ctx)
    if err != nil {
        log.Print(err)
        return
    }
}

Having made topic named _TestTopic_ manually on platform.
It brakes on line _, err = result.Get(ctx).

pubsub question
Source
picture dragan-cikic-shortcut

All 3 comments

Thanks for filing this issue. Can you tell me what your invocation trigger is (http, pubsub, storage, etc)? And if it's HTTP, can you mention which service is hitting that endpoint?

Edit: in addition, can you check which permissions your Cloud Functions service account has? The default service account used is [email protected], but not sure if you changed it.

hongalex picture hongalex on 13 Aug 2019
👍1

The cloud function is triggered by HTTP request.
I'm hitting it by Postman.
The cloud function is using a default service account having a _Owner_ role. Also, our Cloud Architect @pkhamre and I tested it with a dedicated service account having just _Pub/Sub Publisher_ role and we got the same error.

dragan-cikic-shortcut picture dragan-cikic-shortcut on 13 Aug 2019

I was talking to my colleague who was answering your stack overflow question. I was able to reproduce the issue (and see the same error message), when the Cloud Functions Service Agent does not have the proper permissions. From the linked stack overflow post, this can be fixed by adding the proper role to service-@gcf-admin-robot.iam.gserviceaccount.com using gcloud when authenticated.

gcloud projects add-iam-policy-binding <project_name> --role=roles/cloudfunctions.serviceAgent --member=serviceAccount:service-<project_number>@gcf-admin-robot.iam.gserviceaccount.com

Closing for now since this likely isn't related to the client library, but I'll continue to monitor from the stack overflow side in case it doesn't work.

hongalex picture hongalex on 14 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rntk picture rntk  路  3Comments
GlennAmmons picture GlennAmmons  路  3Comments
muratsplat picture muratsplat  路  3Comments
rileykarson picture rileykarson  路  4Comments
lukaszraczylo picture lukaszraczylo  路  3Comments