Google Pub/Sub push message not working for IAP enabled app engine

Question

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a proje

Answer 1

Note: This answer uses BETA commands and features.

To enable IAP enabled App Engine access to Pub/Sub push notifications:

• Enable Pub/Sub to create Identity Tokens
• Create a service account that Pub/Sub will use for its identity to IAP
• Create a push Pub/Sub subscription with the service account
• Add the Pub/Sub service account email address to IAP

Allow the Pub/Sub service (Service Agent) to create Identity Tokens on behalf of a service account:

gcloud projects add-iam-policy-binding PROJECT-ID \
     --member=serviceAccount:service-PROJECT-NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \
     --role=roles/iam.serviceAccountTokenCreator

Create a service account that Pub/Sub will use for its identity to IAP:

gcloud iam service-accounts create pubsub-invoker \
     --display-name "Pub/Sub Invoker Service Account"

Create a push Pub/Sub subscription with the service account:

gcloud beta pubsub subscriptions create mySubscription --topic myTopic \
   --push-endpoint=SERVICE-URL/ \
   --push-auth-service-account=pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com

Add the service account email address pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com to IAP for App Engine.

I don't know of a CLI command for this step. Do this step in the Google Cloud Console.