I am learning Google Cloud Pub/Sub and following this official document : Writing and Responding to Pub/Sub Messages - Python
When I deploy it to cloud, and try to submit the message,
I get the following error :
An internal error occurred: 403 User not authorized to perform this action. (POST https://pubsub.googleapis.com/v1/projects/your-project-id/topics/your-topic:publish) See logs for full stacktrace.
I guess it's due to some authentication problem? Any help would be appreciated.
Make sure that the client you are using is authorized to publish to Pub/Sub. See details here. If your client belongs to the same project as the topic, typically it won't require additional access control configuration. Make sure that your client is authenticated properly.
Here are some notes come from google's documentation Troubleshooting 403 (Forbidden) error :
If you get this error, do the following:
- Make sure you've enabled the Google Cloud Pub/Sub API in the Cloud Platform Console.
- Make sure that the principal making the request has the required permissions on the relevant Google Cloud Pub/Sub resources,
especially if you are using Google Cloud Pub/Sub for cross-project
communication.- If you're using Dataflow, make sure that both @cloudservices.gserviceaccount.com and the Compute Engine
Service account -compute@developer.gserviceaccount.com
have the required permissions on the relevant Google Cloud Pub/Sub
resource. See Google Cloud Dataflow Security and Permissions for more information.- If you're using App Engine, check your project's Permissions page to see if an App Engine Service Account listed as an Editor. If it is not, add your App Engine Service Account as an Editor. Normally, the App Engine Service Account is of the form
@appspot.gserviceaccount.com.
In view of subscription and topic you can click "permission" -> "add principal", paste long e-mail from your json with service account and select permissions described in
https://cloud.google.com/pubsub/docs/access-control
viewer permissionThe python demo shown in episode 3 of Google video series #pubsubmadeeasy Cloud Pub/Sub in Action worked fine with updated code (see notes below) using the permissions the videos instructed you to add, specifically
Pub/Sub Publisher
Pub/Sub Subscriber
But switching over to the ruby API required adding the viewer permission to the service account created in the demo. Note: using ruby 3.1.0 and gem 'google-cloud-pubsub', '~> 2.9', '>= 2.9.1'.
Pub/Sub Viewer
https://github.com/googleapis/python-pubsub.git
specifically
https://github.com/googleapis/python-pubsub/tree/main/samples/snippets/quickstartvirtualenv venv && source venv/bin/activate
pip install --upgrade google-cloud-pubsub
export GOOGLE_APPLICATION_CREDENTIALS=downloaded_key.json
export PROJECT=`gcloud config get-value project`
/home/dever/.gem/ruby/3.1.0/gems/google-cloud-pubsub-v1-0.6.2/lib/google/cloud/pubsub/v1/subscriber/client.rb:499:
in `rescue in get_subscription':
7:User not authorized to perform this action.. debug_error_string:
{"created":"@1642638738.357361477",
"description":"Error received from peer ipv6:[2607:f8b0:4006:80a::200a]:443",
"file":"src/core/lib/surface/call.cc","file_line":1063,
"grpc_message":"User not authorized to perform this action.","grpc_status":7}
(Google::Cloud::PermissionDeniedError)
/home/dever/.gem/ruby/3.1.0/gems/google-cloud-pubsub-v1-0.6.2/lib/google/cloud/pubsub/v1/publisher/client.rb:574:
in `rescue in get_topic':
7:User not authorized to perform this action..
debug_error_string:{"created":"@1642638676.763569110",
"description":"Error received from peer ipv6:[2607:f8b0:4006:80a::200a]:443",
"file":"src/core/lib/surface/call.cc","file_line":1063,
"grpc_message":"User not authorized to perform this action.","grpc_status":7}
(Google::Cloud::PermissionDeniedError)
