telpirion
commented
11 months ago Hello @pentium10 ! Thank you for logging this issue.
I'm afraid I cannot reproduce this issue. The Pub/Sub service account, when this solution is deployed into a fresh GCP project, is provisioned with the correct permissions. The service account service-PROJECT_NUM@gcp-sa-pubsub.iam.gserviceaccount.com is a Google-provided role grant. In my clean project, this SA does not have the roles/iam.serviceAccountTokenCreator role.
$ gcloud projects get-iam-policy MY_PROJECT \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:service-#########@gcp-sa-pubsub.iam.gserviceaccount.com"
>>ROLE: roles/pubsub.serviceAgentI wonder whether there are some organizational- or folder-level restrictions for your existing project.
Quick side-note: the place to deploy this solution would be here: https://console.cloud.google.com/products/solutions/details/generative-ai-document-summarization
pentium10
github-actions[bot]
idamezhim
I was able to reconstruct an issue when hiting Deploy from this url https://console.cloud.google.com/products/solutions/deployments/details/us-central1/generative-ai-document-summarization
I used an existing project
all deployments succeed, notebook is working, file is uploaded, EventArc picks up the event, Pub/Sub receives the message, but Pub/Sub is not calling the Cloud Function, although everything looks setup. the GCF exists
I did this many times by undeploying and deploying.
After that I was able to observ in the Edit subscription page of Pub/Sub that it complaints the
roles/iam.serviceAccountTokenCreatoris not applied. Once I manually granted this, the subscription started to fire the push job.Please fix the scripts. and apply this role.