Google Pub/Sub push message not working for IAP en

2020-05-29 10:47发布

问题:

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain.

I do not see any of the push requests being processed by my app.

I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed.

回答1:

Note: This answer uses BETA commands and features.

To enable IAP enabled App Engine access to Pub/Sub push notifications:

  • Enable Pub/Sub to create Identity Tokens
  • Create a service account that Pub/Sub will use for its identity to IAP
  • Create a push Pub/Sub subscription with the service account
  • Add the Pub/Sub service account email address to IAP

Allow the Pub/Sub service (Service Agent) to create Identity Tokens on behalf of a service account:

gcloud projects add-iam-policy-binding PROJECT-ID \
     --member=serviceAccount:service-PROJECT-NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \
     --role=roles/iam.serviceAccountTokenCreator

Create a service account that Pub/Sub will use for its identity to IAP:

gcloud iam service-accounts create pubsub-invoker \
     --display-name "Pub/Sub Invoker Service Account"

Create a push Pub/Sub subscription with the service account:

gcloud beta pubsub subscriptions create mySubscription --topic myTopic \
   --push-endpoint=SERVICE-URL/ \
   --push-auth-service-account=pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com

Add the service account email address pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com to IAP for App Engine.

I don't know of a CLI command for this step. Do this step in the Google Cloud Console.