How to properly assign publisher and subscriber roles to a dead-letter topic using terraform
I have a Cloud Storage bucket defined in terraform. The bucket has notifications enabled. The notifications are published to a Pub/Sub topic which is then consumed by a Pub/Sub subscription. I have added dead-lettering to the subscription so I can receive any unacknowledged messages. This is all working well apart from the dead-lettering. Looking at my GCP console, I have the following errors regarding publish/subscribe permissions
I can't figure out where the problem is. Below is my current setup and what I have tried so far.
data "google_storage_project_service_account" "gcs_account" {}
data "google_project" "project" {}
// The topic to which Cloud Storage events will be published to.
resource "google_pubsub_topic" "requests" {
name = "example_name"
}
// After a specified number of failed messages, send to this topic
resource "google_pubsub_topic" "dead_letter" {
name = "example_name"
}
// The bucket
resource "google_storage_bucket" "requests" {
force_destroy = true
location = "EUROPE-WEST1"
name = "example_name"
storage_class = "STANDARD"
uniform_bucket_level_access = true
lifecycle_rule {
condition {
age = 1
}
action {
type = "Delete"
}
}
}
// Create a Google Cloud Storage event notification
resource "google_storage_notification" "request" {
bucket = google_storage_bucket.requests.name
payload_format = "JSON_API_V1"
topic = google_pubsub_topic.requests.id
event_types = ["OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE"]
depends_on = [
google_pubsub_topic_iam_binding.request_binding,
google_pubsub_topic_iam_binding.pubsub_sa_publish_deadletter_topic,
google_pubsub_subscription_iam_binding.pubsub_sa_pull_request_sub
]
}
// The Google Cloud storage service account need to be able to publish an event to the requests topic.
resource "google_pubsub_topic_iam_binding" "request_binding" {
topic = google_pubsub_topic.requests.id
role = "roles/pubsub.publisher"
members = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
]
}
// The Google Cloud storage service account need to be able to publish an event to the dead letter topic.
resource "google_pubsub_topic_iam_binding" "pubsub_sa_publish_deadletter_topic" {
topic = google_pubsub_topic.dead_letter.name
role = "roles/pubsub.publisher"
members = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
]
}
resource "google_pubsub_subscription" "request" {
name = "example_name"
topic = google_pubsub_topic.requests.name
message_retention_duration = "820s"
ack_deadline_seconds = 300
retry_policy {
maximum_backoff = "77s"
minimum_backoff = "7s"
}
dead_letter_policy {
dead_letter_topic = google_pubsub_topic.dead_letter.id
max_delivery_attempts = 7
}
expiration_policy {
ttl = ""
}
push_config {
oidc_token {
audience = "example_audience"
service_account_email = "example@${var.SOME_PROJECT}.iam.gserviceaccount.com"
}
push_endpoint = "example_url"
}
}
// The Google Cloud storage service account need to be able to pull events from the request topic.
resource "google_pubsub_subscription_iam_binding" "pubsub_sa_pull_request_sub" {
subscription = google_pubsub_subscription.request.name
role = "roles/pubsub.subscriber"
members = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
]
}
Solution
For anyone with a similar issue. After reading https://stackoverflow.com/a/70253521/20262182, I switched from using google_pubsub_topic_iam_binding to google_pubsub_topic_iam_member and google_pubsub_subscription_iam_binding to google_pubsub_subscription_iam_member and that worked. Not sure if the iam_binding(Authoritative) was messing with some related permissions.
- gcloud SSH in same terminal window
- Cannot enable API on GCP (User role=Owner && Billing account is linked)
- Select All Columns Except Some in Google BigQuery?
- Why does my flex env google app engine instance have a minimum of 2 instances running, even when there is no traffic?
- How Does GCP Global Application Load Balancer Select the Closest Backend?
- How to use Google Search Grounding with Dynamic Retrieval Configuration
- Google Stackdriver Logging add comments to advanced filter
- Exporting from Cloud SQL to CSV with column headers
- BigQuery Date-Partitioned Views
- Check TPU workload/utilization
- Google Forms API raises google.auth.exceptions.RefreshError: 'No access token in response.'
- Google App Engine slow cold boot time (Flask app)
- How can I see request count (not rate) for a Google Cloud Run application?
- I can write to my Firebase Firestore database, but am unable to read from it (Android Studio using Java)
- How to get task count in GCP cloud task
- Programmatically get current Service Account on GCP
- How to Access GKE Private Master from VPN in Hub VPC with Peering
- My gcp service account with "artifact registry admin" account was not able to push the docker image to repo
- GCP API Gateway: Cannot use path params
- Flask api on gcloud's URL keeps on loading
- GCP CloudBuild substitution fails in pipeline
- Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?
- How do I keep a long-running background task from stopping on Google Cloud Run?
- GCP Cloud SQL Proxy times out: connectex
- How to automatically back up and version BigQuery code such as stored procs?
- BigQuery Policy Tags: possible as infra as code?
- How to use GCP Translation API to process a table in BigQuery?
- How to enable DML statements on BigTable via BigQuery?
- ScikitLearn model giving 'LocalOutlierFactor' object has no attribute 'predict' Error
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)