Authenticating to cloud function from PubSub push subscription

4
votes

We are using PubSub for queuing utilizing a push subscription pointing at an http-triggered cloud function. According to this documentation Cloud Run and App Engine will both authenticate requests from PubSub, cloud functions isn't listed. We have used other google services, like scheduler to invoke functions which require authentication, but have not had luck doing so with PubSub.

My question is, does cloud functions support authentication from PubSub through a subscription aim account set, or is it required that the function read and deal with the JWT itself for authentication?

2
google-cloud-functionsgoogle-cloud-pubsub
Yes, it supports. Can you share your push subscription configuration?guillaume blaquiere
The subscription is set basically as @Ricco's answer is below. I have tried different levels of service accounts with no success. Monitoring always shows 401 results for the subscription.Brettski

2 Answers

4
votes

You need different things:

  • A service account with the role/cloudfunctions.invoker
  • tick the Enable authentication
  • Select your service account
  • Add the Cloud Function URL (as provided in the Cloud Function) in the audience field. It's the missing part in the Ricco answer

enter image description here

EDIT 1

PubSub needs to have the authorization to generate a token on a service account. Check the first step on this. There, it shows how to grant the pubsub service agent service account as token creator.

0
votes

Pub/Sub subscription supports the use of service account authentication for subscriptions using "Push".

To use service accounts just specify the endpoint of the cloud function, enable authentication and add a service account to be used to send requests to the cloud function. Make sure that the service account has the appropriate permissions to access both PubSub and cloud functions.

enter image description here