pubsub/ERR/2025_001

Pub/Sub push subscription service agent has the Service Account Token Creator Role.

Product: Cloud Pub/Sub Rule class: ERR - Something that is very likely to be wrong

Description

The Pub/Sub service agent (service-{project-number}@gcp-sa-pubsub.iam.gserviceaccount.com) must be granted the Service Account Token Creator Role (roles/iam.serviceAccountTokenCreator) on the service account used by a push subscription with authentication enabled.

Without this role, Pub/Sub cannot generate tokens to authenticate to the push endpoint, leading to message delivery failures.

Remediation

To fix this issue, grant the Service Account Token Creator role to the Pub/Sub service agent for the service account used in the push subscription.

Execute the following gcloud command:

gcloud iam service-accounts add-iam-policy-binding "SERVICE_ACCOUNT_EMAIL" \
  --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator"

Replace the following:

SERVICE_ACCOUNT_EMAIL: The email address of the service account used in your push subscription.
PROJECT_NUMBER: Your Google Cloud project number.

Further information

For more information, see the official documentation on push authentication.