Google Cloud Pub/Sub Pull PERMISSION_DENIED
I have Google Cloud SDK in my local machine, and when I run the command:
gcloud beta pubsub subscriptions pull --auto-ack MY_SUBSCRIPTION_NAME
It works just fine and I can see the messages.
But, if I do the same thing in the GCE VM I created, I get the following error:
ERROR: (gcloud.beta.pubsub.subscriptions.pull) PERMISSION_DENIED: User not authorized to perform this action.
I've tried several things already, like:
Stop the instance and add a Service Account;
Make my instance "Allow full access to all Cloud APIs";
Do
sudo yum update google-cloud-sdk
I don't know what else to try to make it work. Any ideas? Please give me a light here.
You should go to the Cloud console subscriptions page and ensure that your service account has the "Pub/Sub Subscriber" permission on the subscription. When you are on the subscriptions page, you can click the check box next to the subscription and then the following will appear on the right of the screen:
Ensure that your service account is in the circled section and if it is not, add it. To do so, type in the service account under "Add members" and in the "Select a role" dropdown, choose "Pub/Sub Subscriber" and then click the "Add" button. Note that to add the service account, you will need to be logged into the Cloud console with an account that has the Owner or Pub/Sub Admin per the Pub/Sub access control rules.
This is not the same as selecting "Allow full access to all Cloud APIs." That feature indicates which APIs the GCE instance can acccess; it does not affect the authentication of the service account for accessing the desired resource (e.g, subscription) through those APIs.
It is likely that this worked through the gcloud command line tool because you were authenticated with the Google account that was used to create the subscription.
- How does one make logging color in Django/Google App Engine?
- How to transfer Google Cloud project ownership?
- Can't figure out why I get App Engine flex "Uncaught Error: Call to undefined function Google\Protobuf\Internal\bccomp()"
- Migration from Container Registry to Artifact Registry for App Engine Standard Deployments
- Uploading a file Google App - Python
- gcloud not recognized as an internal or external command on Windows
- Not able to connect mysql with SSL enforced to app engine without connecting first in cloud shell
- GAE: find project name by project number
- Google Cloud Bigtable vs Google Cloud Datastore
- Can appengine files in asia.artifacts.../containers/images be safely deleted?
- Google App Engine is sending SVG with wrong mime-type
- Conflicting Errors with Google Cloud App Engine: App Already Exists But Can't Describe It
- A python web framework for google app engine
- Google Cloud Storage vs Google Cloud CDN
- gcloud.app.deploy Error Response: [13] Failed to create cloud build: invalid bucket
- Deleting a Google App Engine application
- Google App Engine slow cold boot time (Flask app)
- Why does my flex env google app engine instance have a minimum of 2 instances running, even when there is no traffic?
- JPA - When to use getTransaction() when persisting objects
- Python Headless Browser for GAE
- No api proxy found for service "memcache" GAE unittest2
- How to get the root directory of my app in google app engine?
- Install a NPM module in docker image and run it with golang app, using Google App Engine flex
- Migrate "App Engine Standard" away from"Container Registry?" (for "Artifact Registry")
- What is the best way to determine the maximum concurrent requests per instance for your App Engine or Cloud Run app?
- Do Google Cloud Task requests count towards concurrent requests in Google App Engine?
- Error migrating Google Cloud Container Registry to Artifact Registry: RESOURCE_EXHAUSTED
- Is it possible to receive email bounce notifications for google app engine - python?
- Google API - Cross platform client credential authentication
- Error during `gcloud app deploy` for GAE app: "Failed to create cloud build: invalid bucket"