I cannot say exactly since when we have this problem, since our project is still in development and we only periodically deploy to test things.
In our most recent test the PubSub authentication does not seem to work anymore. When subscribing to a topic, the following error comes up in the logs:
21:10:29.577 Error subscribing to '123456'-topic: googleapi: Error 401: The request does not have valid authentication credentials., unauthorized
This error is new. It worked fine before. We cannot trace it back to any code change on our part.
This error is also not occuring on the devappserver with the PubSub-Emulator.
The subscriber is in the same project as the PubSub-Service. Again, everything here is happening in one project.
Here is some insight into what we are doing:
client, err := pubsub.NewClient(ctx, "lol123", option.WithTokenSource(google.AppEngineTokenSource(ctx, pubsub.ScopePubSub)), option.WithHTTPClient(urlfetch.Client(ctx)))
[...] more code [...]
_, err := client.NewSubscription(ctx, subname, topic, 0, &pubsub.PushConfig{
Endpoint: endpoint,
})
Pretty standard stuff.
Here are things we tried to play with:
Adding a second scope:
option.WithTokenSource(google.AppEngineTokenSource(ctx, pubsub.ScopePubSub, pubsub.ScopeCloudPlatform)
Using the default tokensource:
tokenSource, _ := google.DefaultTokenSource(ctx, pubsub.ScopePubSub)
option.WithTokenSource(tokenSource)
Adding an endpoint, in case https://experimental.pubsub.googleapis.com/ is somehow used:
option.WithEndpoint("https://pubsub.googleapis.com/")
Also, we switched from the previous cloud.WithTokenSource(...)-stuff to the new option.WithTokenSource(...)-libraries. This migration to the new Cloud-Libraries worked well. However, they did not help with the permission problem.
We also played around with every imaginable combination of Service Accounts and Permissions. E.g., the default Appengine Service Account has been added as Owner to all PubSub-Topics. Remember, that this error is new and it worked before and we cannot trace it back to changes on our part.
Any ideas and suggestions? We'll try pretty much anything at this point. ;-)
