IAM Documentation and additional configurations

[jrobichaud]

Hi,

The documentation states we must enable 3 API (Cloud Task, Cloud Scheduler and Admin SDK) in GCP and the rest appears to be django project configuration.

However I believe there is more to do in order to be fully configured unless there is something I missed. Ex: add IAM to the service account and create pubsub.

On Demand Task:

I suppose we must add Cloud Tasks Enqueuer at least https://cloud.google.com/tasks/docs/reference-access-control

Any others?

Periodic Task

What IAM are needed for

python manage.py schedule_tasks

to work?

Publisher

I suppose some pubsub IAM are needed for publisher or subscriber

Its not stated but I assume the topics must be created manually as well (using GCP's interface or with terraform) and are not managed by a django command.

[jrobichaud]

I confirm Cloud Tasks Enqueuer is required to be able to enqueue a task.

Cloud Tasks Queue Admin is required if you want to let gcp-pilot create the queue for you. Not needed if you created it yourself (ex: with terraform).

[jrobichaud]

This should be specified in the documentation too:

INSTALLED_APPS = [
    #...
    "django_cloud_tasks",
    #...
]

[jc15100]

I keep hitting IAM issues with my setup here. Service account has all of the mentioned roles but the error below happens whenever testing.

File "/opt/homebrew/anaconda3/lib/python3.11/site-packages/google/api_core/grpc_helpers.py", line 81, in error_remapped_callable raise exceptions.from_grpc_error(exc) from exc google.api_core.exceptions.PermissionDenied: 403 Permission denied on resource project appspot.gserviceaccount.com. [links { description: "Google developers console" url: "https://console.developers.google.com" } , reason: "CONSUMER_INVALID" domain: "googleapis.com" metadata { key: "service" value: "cloudtasks.googleapis.com" } metadata { key: "consumer" value: "projects/appspot.gserviceaccount.com" }