Closed pentium10 closed 8 months ago
Hello @pentium10 ! Thank you for logging this issue.
I'm afraid I cannot reproduce this issue. The Pub/Sub service account, when this solution is deployed into a fresh GCP project, is provisioned with the correct permissions. The service account service-PROJECT_NUM@gcp-sa-pubsub.iam.gserviceaccount.com
is a Google-provided role grant. In my clean project, this SA does not have the roles/iam.serviceAccountTokenCreator
role.
$ gcloud projects get-iam-policy MY_PROJECT \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:service-#########@gcp-sa-pubsub.iam.gserviceaccount.com"
>>ROLE: roles/pubsub.serviceAgent
I wonder whether there are some organizational- or folder-level restrictions for your existing project.
Quick side-note: the place to deploy this solution would be here: https://console.cloud.google.com/products/solutions/details/generative-ai-document-summarization
I am not under any organization. It's under a private project of mine, that I constantly use for workshops. I didn't read anywhere this should be deployed to a fresh project. This should work also on existing projects.
I was able to pinpoint the issue because the pub/sub interface told me, that role should be added.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
@pentium10 how did you fix this, I am currently battling with this.
this issue still a problem, I don't understand how can be more helpful @telpirion
I was able to reconstruct an issue when hiting Deploy from this url https://console.cloud.google.com/products/solutions/deployments/details/us-central1/generative-ai-document-summarization
I used an existing project
all deployments succeed, notebook is working, file is uploaded, EventArc picks up the event, Pub/Sub receives the message, but Pub/Sub is not calling the Cloud Function, although everything looks setup. the GCF exists
I did this many times by undeploying and deploying.
After that I was able to observ in the Edit subscription page of Pub/Sub that it complaints the
roles/iam.serviceAccountTokenCreator
is not applied. Once I manually granted this, the subscription started to fire the push job.Please fix the scripts. and apply this role.