I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain.
I do not see any of the push requests being processed by my app.
I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed.
Note: This answer uses BETA commands and features.
To enable IAP enabled App Engine access to Pub/Sub push notifications:
- Enable Pub/Sub to create Identity Tokens
- Create a service account that Pub/Sub will use for its identity to IAP
- Create a push Pub/Sub subscription with the service account
- Add the Pub/Sub service account email address to IAP
Allow the Pub/Sub service (Service Agent) to create Identity Tokens on behalf of a service account:
gcloud projects add-iam-policy-binding PROJECT-ID \
--member=serviceAccount:service-PROJECT-NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \
--role=roles/iam.serviceAccountTokenCreator
Create a service account that Pub/Sub will use for its identity to IAP:
gcloud iam service-accounts create pubsub-invoker \
--display-name "Pub/Sub Invoker Service Account"
Create a push Pub/Sub subscription with the service account:
gcloud beta pubsub subscriptions create mySubscription --topic myTopic \
--push-endpoint=SERVICE-URL/ \
--push-auth-service-account=pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com
Add the service account email address pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com
to IAP for App Engine.
I don't know of a CLI command for this step. Do this step in the Google Cloud Console.