I have deployed a service for the subscribing end of pub/sub following this [tutorial] (https://cloud.google.com/run/docs/tutorials/pubsub?hl=fr#run-clone-sample-repository-python).
After having some troubles with authentification, I can send messages via the Python client library on my local machine, using gcloud auth application-default login to authenticate myself.
My publisher code contains
credentials_path = (
"path_to_application_default_credentials.json"
)
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = credentials_path
After reading several pages of documentation on authentification, I am still confused about this topic of using service accounts. I want to integrate this code to an existing fastapi app deployed on CloudRun, for example publish a message via a http request.
What steps do I need to take to properly authenticate my app to publish messages ?
Use ADC mechanism on Google Cloud. your gcloud auth application-default login is the right one to use it.
But you don't need to specify it in your code. The client libraries are designed to find automatically the default credential from the runtime environment.
You can have a try! Delete the 2 lines you mentioned on your publisher, it should work! If not, be sure that there is nothing defined in the GOOGLE_APPLICATION_CREDENTIALS env variable on your local machine.
On Cloud Run, the mechanism will be the same: the libraries will detect your runtime service account (this one you can define when you deploy your cloud run, your service identity).
you don't need extra code, and, above all, don't need a service account key file!