Fix GCP Cloud Run Run Pubsub Errors
When working with GCP Cloud Run, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with run pubsub and shows the exact fix.
A Common Mistake
Creating a Pub/Sub push subscription pointing to a Cloud Run service but failing to configure authentication, causing push deliveries to fail with 401 errors.
The incorrect command:
gcloud pubsub subscriptions create my-sub --topic=my-topic --push-endpoint=https://my-service-xxxxx-uc.a.run.app/push
Error output:
Created subscription.
When messages are published:
Push delivery fails: 401 Unauthorized.
The Pub/Sub service cannot authenticate to the Cloud Run service. Messages are not delivered.
The Correct Approach
The right way to configure run pubsub in GCP Cloud Run:
gcloud run services add-iam-policy-binding my-service --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com --role=roles/run.invoker --region=us-central1 && gcloud pubsub subscriptions create my-sub --topic=my-topic --push-endpoint=https://my-service-xxxxx-uc.a.run.app/push --push-auth-service-account=my-project@appspot.gserviceaccount.com
Successful result:
Created subscription with auth.
Pub/Sub push deliveries succeed. The service receives POST requests with Pub/Sub message envelopes.
How to Prevent This
Grant the Pub/Sub SA roles/run.invoker on the Cloud Run service. Use --push-auth-service-account for OIDC token authentication. The push endpoint must return 200 within 60s. Use ack-deadline for retries. Monitor undelivered messages with dead letter topics.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro