Closed jmcx closed 1 year ago
@jmcx can you check if the same configuration works in K8s for you? I don't see any difference in the CLI and tm/tm reconcilers.
Indeed, same issue on K8s:
{ "lastTransitionTime": "2023-04-07T14:20:48Z", "message": "Access denied to Cloud Storage API: adding notification configuration: googleapi: Error 403: The service account 'service-549199081752@gs-project-accounts.iam.gserviceaccount.com' does not have permission to publish messages to to the Cloud Pub/Sub topic '//pubsub.googleapis.com/projects/object-notifications/topics/default.gcssource~googlecloudstoragesources.sources.triggermesh.io', or that topic does not exist., forbidden", "reason": "APIError", "status": "False", "type": "Subscribed" }
shall we move this ticket to tm/tm ?
shall we move this ticket to tm/tm ?
I think that it may end up as a documentation issue, but right now tm/tm would be a better fit
Indeed: you had to give the Google Cloud Storage service account for the current project the Pub/Sub publisher role on the project to avoid the aforementioned error.
I'll update the docs: https://github.com/triggermesh/docs/issues/365
It seems like it is impossible today to create a GCS source with tmctl without hitting some errors.
How to reproduce:
Then run
Error:
It looks like the bucket's service account
service-549199081752...
was not given permission to publish notifications to the pub/sub topic created by the triggermesh GCS source. Because this topic was created dynamically by the source, I cannot as a user have provisioned this permission beforehand. Based on a test @FranBarrera did, it sounds like the equivalent command in K8s by creating a GCS source CRD does work and is able to configure these permissions, so maybe there is an issue with the reconciliation logic?If I manually add the missing permission stated above, then everything works. But it is expected that this should happen automatically.