问题描述

我正在测试一个非常基本的发布/订阅订阅.我已将推送端点设置为已通过App Engine中的Python Flex服务部署的应用程序.该服务位于启用了身份识别代理的项目中. IAP配置为允许通过我们的域认证的用户.

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain.

我的应用程序未处理任何推送请求.

I do not see any of the push requests being processed by my app.

我关闭了IAP保护，然后看到请求已处理.我将其重新打开，便不再进行处理.

I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed.

推荐答案

注意:此答案使用了BETA命令和功能.

要启用启用了IAP的App Engine访问发布/订阅推送通知，

To enable IAP enabled App Engine access to Pub/Sub push notifications:

• 启用发布/订阅以创建身份令牌
• 创建一个服务帐户，Pub/Sub将使用该服务帐户向IAP提供身份
• 使用服务帐户创建推送发布/订阅订阅
• 将发布/订阅服务帐户的电子邮件地址添加到IAP

允许发布/订阅服务(服务代理)代表服务帐户创建身份令牌:

Allow the Pub/Sub service (Service Agent) to create Identity Tokens on behalf of a service account:

gcloud projects add-iam-policy-binding PROJECT-ID \
     --member=serviceAccount:[email protected] \
     --role=roles/iam.serviceAccountTokenCreator

创建一个发布/订阅将用于向IAP标识的服务帐户:

Create a service account that Pub/Sub will use for its identity to IAP:

gcloud iam service-accounts create pubsub-invoker \
     --display-name "Pub/Sub Invoker Service Account"

使用服务帐户创建推送发布/订阅订阅:

Create a push Pub/Sub subscription with the service account:

gcloud beta pubsub subscriptions create mySubscription --topic myTopic \
   --push-endpoint=SERVICE-URL/ \
   --push-auth-service-account=pubsub-invoker@PROJECT-ID.iam.gserviceaccount.com

将服务帐户电子邮件地址[email protected]添加到App Engine的IAP.

Add the service account email address [email protected] to IAP for App Engine.

我不知道此步骤的CLI命令.在Google Cloud Console中执行此步骤.

I don't know of a CLI command for this step. Do this step in the Google Cloud Console.

这篇关于Google Pub/Sub推送消息不适用于启用IAP的应用程序引擎的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！