Google Cloud Pub/Sub: push subscription doesn't call IAP-protected GAE app

Question

I have a Pub/Sub topic with a push subscription. I want my AppEngine app to be called when a message published to the topic.
Here's how I created the subscription:

      subscriber.create_subscription(
          name=subscription_name,
          topic=pubsub_topic,
          push_config=pubsub_v1.types.PushConfig(
              push_endpoint=f'my_gae_app_hostname/api/update',
              oidc_token=pubsub_v1.types.PushConfig.OidcToken(
                  service_account_email=f"{project_id}@appspot.gserviceaccount.com")))

My GAE app is behind Identity-Aware Proxy (IAP). Without IAP everything works fine. But if IAP is enabled GAE isn't being called. There's no any errors in logs. In Cloud Console, on Pub/Sub Subscriptions page, I just can see that there're undelivered messages (on Overview's graph).

IAP has a principal for GAE default account which I use for subscription (service_account_email)

I granted Pub/Sub SA with iam.serviceAccountTokenCreator role (though according the docs it's not needed anymore):

gcloud projects add-iam-policy-binding $PROJECT_ID
  --member="serviceAccount:service-$PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com" 
  --role=roles/iam.serviceAccountTokenCreator

I tried creating a separated SA as well (as suggested in this answer), it didn't help.

Answer 1

You have to specify the correct audience. WHen you use App Engine and IAP the audience is unusual. I wrote an article where you can find the correct value to set.

To speed up your search, here the most important info:

• The audience have that pattern <PROJECT_NUMBER>-<HASH>.apps.googleusercontent.com
• The audience is the IAP client ID. You can find it by going to API & Services and select Credentials. Look at the OAuth 2.0 client IDs and look for IAP-App-Engine-app line and copy the Client ID