stackoom
  简体   繁体   中英

Google Pub/Sub push subscription into IAP-protected App Engine

 原文  2017-10-13 12:25:22       python/ google-app-engine/ push/ publish-subscribe/ google-iap

Question

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain.

I do not see any of the push requests being processed by my app.

I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed.

I had similar issues with IAP when trying to get a Cron service running; that issue resolved itself after I deployed a new test app in the same project.

Has anyone had success with configuring a push subscription through IAP? I also experimented with putting different service accounts on the IAP access list and none of them worked.

2 answers

solution1
 1  2017-11-11 00:58:31

I'm not aware of a way to get Pub/Sub push subscriptions + Flex + IAP working. I wonder... it might work if the subscriber is on Standard.

Some other potential workarounds: - Switch to a Pull subscriber. - Set up a Cloud Functions function as your Pub/Sub subscriber -- https://cloud.google.com/functions/docs/writing/background -- and then in that function pass the request on to the GAE app, using https://cloud.google.com/iap/docs/authentication-howto to authenticate as a service account.

Sorry, I wish I had a better answer for you, but AFAIK those are the options that work today. --Matthew, IAP engineering lead

solution2
 1  2020-01-14 19:01:28

I had a pretty similar issue - a GAE 2nd G standard application in project A, which is wired under IAP, that cannot receive the pushed pub/sub message from project B.

My workaround is:

  1. Setup Cloud Function (HTTP triggered) in project A;
  2. Setup the subscription of project B Pub/Sub topic to push the message to above Cloud Function endpoint;
  3. The above Cloud Function works like a proxy to filter (needed based on my case, ymmv) and forwards the Pub/Sub message in a http request to the GAE app;
  4. Since the Cloud Function is within same project with the GAE app, there is only needed to add the IAP authentication for above http request (which fetches the token assigned from the specific SA).
  5. There should be a project A's SA setup in Project B IAM, which may have at least Pub/Sub Subscriber and Pub/Sub Viewer roles.

Hope this could be an option for your case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access denied for service account when accessing IAP-protected application Access Google Pub/Sub from App Engine standard environment? Pub/Sub on Google App Engine runs at ~100% CPU Pub/sub push subscription from an endpoint API URL How to modify ack deadline for a push subscription message on GCP Pub/Sub? Using sub filters/queries in Google App Engine GCP Pub/Sub Push Endpoint cannot find google domain verification token in request parameters Deny subscription to users with different domain on Google App Engine Google Cloud Pub Sub With Service Account convert list to bytestring for Google pub/sub
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM