2

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain.

I do not see any of the push requests being processed by my app.

I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed.

I had similar issues with IAP when trying to get a Cron service running; that issue resolved itself after I deployed a new test app in the same project.

Has anyone had success with configuring a push subscription through IAP? I also experimented with putting different service accounts on the IAP access list and none of them worked.

Matthew Sachs
  • 1,545
  • 6
  • 9
Bill Snider
  • 21
  • 1

2 Answers2

1

I'm not aware of a way to get Pub/Sub push subscriptions + Flex + IAP working. I wonder... it might work if the subscriber is on Standard.

Some other potential workarounds: - Switch to a Pull subscriber. - Set up a Cloud Functions function as your Pub/Sub subscriber -- https://cloud.google.com/functions/docs/writing/background -- and then in that function pass the request on to the GAE app, using https://cloud.google.com/iap/docs/authentication-howto to authenticate as a service account.

Sorry, I wish I had a better answer for you, but AFAIK those are the options that work today. --Matthew, IAP engineering lead

Matthew Sachs
  • 1,545
  • 6
  • 9
  • Thanks. I ended up setting up a separate project not using IAP to host the Pull subscribers in a Flex environment. – Bill Snider Nov 12 '17 at 16:33
  • In testing (December 2018) I don't believe that Pub/Sub push subscriptions + IAP + Standard (2nd gen) works either. – Jeff Sisson Dec 20 '18 at 20:49
1

I had a pretty similar issue - a GAE 2nd G standard application in project A, which is wired under IAP, that cannot receive the pushed pub/sub message from project B.

My workaround is:

  1. Setup Cloud Function (HTTP triggered) in project A;
  2. Setup the subscription of project B Pub/Sub topic to push the message to above Cloud Function endpoint;
  3. The above Cloud Function works like a proxy to filter (needed based on my case, ymmv) and forwards the Pub/Sub message in a http request to the GAE app;
  4. Since the Cloud Function is within same project with the GAE app, there is only needed to add the IAP authentication for above http request (which fetches the token assigned from the specific SA).
  5. There should be a project A's SA setup in Project B IAM, which may have at least Pub/Sub Subscriber and Pub/Sub Viewer roles.

Hope this could be an option for your case.

Ronny Wang
  • 11
  • 2