How to publish to PubSub using personal (gcloud) credentials

Question

I am trying to publish a message to GCP PubSub using the same credentials that the gcloud CLI does but not having a lot of success.

I can confirm that I can post to a topic by doing

gcloud pubsub topics publish myTopic --project "myProject" --message "Hello World!"

However when I try using the exact same credentials as gcloud using the code below

creds, err := google.FindDefaultCredentials(context.Background())
if err != nil {
    panic(fmt.Sprintf("Unable to retrieve default credentials: %v", err))
}
client, err := pubsub.NewClient(ctx, "myproject", option.WithCredentials(creds))
if err != nil {
    panic(fmt.Sprintf("unable to create GCP storage client: %v", err))
}
topic := client.Topic("myTopic")
r := topic.Publish(ctx, &pubsub.Message{
    Data: []byte("Hello World!"),
})
_, err = r.Get(ctx)
if err != nil {
    panic(fmt.Sprintf("failed to publish message: %v", err))
}

I get the following error message

panic: failed to publish message: rpc error: code = Unauthenticated desc = transport: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

I have also tried loading the json file directly to make sure it is not picking up some other default credentials somewhere but got the same error.

How can I use the same credentials as the gcloud CLI to publish to a pubsub topic I have permissions to?

Answer 1

You need to set up authentication in your Go script. By default, it will use the same credentials as the ones present in the environment where you run your code.

This is an example for setting up a new client with default credentials when creating a bucket:

package main

import (
    "context"
    "fmt"
    "log"
    "time"

    "cloud.google.com/go/storage" 


func main() {
    ctx := context.Background()

    // Sets your Google Cloud Platform project ID.
    projectID := "YOUR_PROJECT_ID"

    // Creates a client.
    client, err := storage.NewClient(ctx)
    if err != nil {
            log.Fatalf("Failed to create client: %v", err)
    }

Accordingly, try this in your code:

ctx := context.Background()
client := pubsub.NewClient(ctx)

Answer 2

Did you to try the option impersonate-service-account? [1] Perhaps this is what you are looking for. Hoping it helps...

[1] https://cloud.google.com/sdk/gcloud/reference#--impersonate-service-account

Answer 3

When I configure my local environment, I'm doing this

• Run the command: gcloud auth application-default login
• Click on the link and allo Google Auth Library

The result of the command should display something like this

Credentials saved to file: [/path/to/application_default_credentials.json]

These credentials will be used by any library that requests Application Default Credentials (ADC).

• Copy the /path/to/application_default_credentials.json
• Create the environment variable GOOGLE_APPLICATION_CREDENTIALS with this value. In linux: export GOOGLE_APPLICATION_CREDENTIALS=/path/to/application_default_credentials.json

Now, your personal credentials are also defined as the default credentials for your apps running on your local environment.