Google Cloud run / Trobleshooting pubsub 403

Question

Just followed the tutorial available here, everything's clear; apparently nothing blocks

The configured run service iam :

gcloud beta run services get-iam-policy $CLOUD_RUN_INSTANCE_NAME

returns

bindings:
- members:
  - serviceAccount:cloud-run-pubsub-invoker@$PROJECT_NAME.iam.gserviceaccount.com
  role: roles/run.invoker
etag: BwWRVC2n5Ek=
version: 1

The subcribtion :

gcloud pubsub subscriptions describe $app_subscription

returns

ackDeadlineSeconds: 10
expirationPolicy:
  ttl: 2678400s
messageRetentionDuration: 604800s
name: projects/$PROJECT_NAME/subscriptions/$app_subscription
pushConfig:
  oidcToken:
    serviceAccountEmail: cloud-run-pubsub-invoker@$PROJECT_NAME.iam.gserviceaccount.com
  pushEndpoint: https://$CLOUD_RUN_INSTANCE_NAME-he6agqsita-ew.a.run.app/

However, The service don't accept anything from the pubsub trigger (keeps returning 403).

The tutorial does not explicitely tell one to add this role to a service accounts. But as experienced, the add-iam-binding command on the run instance does not seem to be the correct step to take

the Service account token creator is also correctly set on the pusub service account

This happens in a managed context, not gke. The run service is in europe

Is it missing on the tutorial ? Is that expected or am I missing something somewhere ?

Answer 1

You need to grand the TokenCreate role to the pubsub service-agent service account

Here the command line that I use

gcloud projects add-iam-policy-binding <ProjectId> \
    --role roles/iam.serviceAccountTokenCreator \
    --member=serviceAccount:service-<ProjectNumber>@gcp-sa-pubsub.iam.gserviceaccount.com

Copy paste of the documentation in fact