Solved: Gmail trigger with Pub/Sub issue

todaricli · 05-30-2024 09:59 PM

Hi there,

I have set up topic, subscription on project console, and gcloud CLI auth went successfully as well.

However, when i run the route of :

const { token } = await oAuth2Client.getAccessToken(); // refresh token for my proj

const url = `https://www.googleapis.com/gmail/v1/users/${email}/watch`;

const data = {

topicName: "projects/testproj/topics/TestTopic",

labelIds: ["INBOX"],

labelFilterBehavior: "INCLUDE",

};

if (token) {

const config = createPostConfig(url, token, data); // simply a config for making post req

const response = await axios.request(config);

res.status(200).json(response.data);

} else {

res.status(500).json('Unable to get access token');

}

it returns:

{

"error": {

"code": 403,

"message": "Error sending test message to Cloud PubSub projects/testproj/topics/TestTopic : User not authorized to perform this action.",

"errors": [

{

"message": "Error sending test message to Cloud PubSub projects/testproj/topics/TestTopic : User not authorized to perform this action.",

"domain": "global",

"reason": "forbidden"

}

],

"status": "PERMISSION_DENIED"

}

I am just wondering what might be the possible causes here or am i missing any set up steps, so this does not work.

Thanks in advanced

shaaland

This error means that the user identity that is running your node.js code (maybe a service account identity?) does not have permissions to write to the Pub/Sub Topic. You have to give that user identity the PubSub role that allows the user to publish to that topic in GCP IAM.

"error": {

"code": 403,

"message": "Error sending test message to Cloud PubSub projects/testproj/topics/TestTopic : User not authorized to perform this action.",

View solution in original post

shaaland

Where are you running this code? Is it in Cloud Functions? AppScript? CloudRun? This will help us route it to the right expert. It doesn't look like you are using Application Integration (the GCP Product), but if you are, can you share a screenshot of your Integration flow and some more context?

Also, no matter what service you are using, your most likely issue is a permissions issue on the PubSub Topic. Whicheven user or service account is attempting to publish to that Topic has not been given the pubsub role to allow it to publish to that topic in the IAM configurations.

todaricli

Hi shaaland,

Thank you for your reply.

I am running the code in the backend of my project using express.js(Node.js)

So, i am trying to achieve a feat that if i receive a new email in my gmail account, it will have a mechanism to call my backend code.

Here is a screenshot of the Topic:

Here is the screenshot of the subscriptions:

I have set up config for Gmail api in my project and it works fine, like retrieving emails etc.

Then, I have followed the instructions in this page:

https://developers.google.com/gmail/api/guides/push#protocol

I have done all the prerequisite steps stated in that page, and reached this step:

I feel like there might be a extra auth needed to make it work, but not sure where and how, as when i making the post request, i simply passing the refresh token of my google cloud project in the auth header.

Appreciate your time and effort.

Thanks in advanced for anyone that can help with!

shaaland

This error means that the user identity that is running your node.js code (maybe a service account identity?) does not have permissions to write to the Pub/Sub Topic. You have to give that user identity the PubSub role that allows the user to publish to that topic in GCP IAM.

"error": {

"code": 403,

"message": "Error sending test message to Cloud PubSub projects/testproj/topics/TestTopic : User not authorized to perform this action.",

pat_linea

Hi shaaland,

I'm encountering the same error message when trying to initiate a watch for a specific inbox. I've granted permissions both at the GCP IAM level and on the Pub/Sub topic.

I am authenticating using user credentials (OAuth 2) versus a service account.

The Gmail API is working well and I have the necessary scopes granted to perform a watch.

Any insight would be much appreciated!

AlexET

Thank you for your recent inquiry @pat_linea. To ensure you receive the most accurate assistance, we recommend directing your query to the appropriate forum within the Google Cloud Community. This will connect you with experts who can provide targeted guidance for your specific concern.

While we have previously addressed similar questions, consulting the specialized forums will offer you more comprehensive support.

If you’re interested in exploring Application Integration further, which is the primary focus of this forum, we encourage you to learn more here.

todaricli

Thanks! shaaland,

For anyone that encounter same issue, please remember to complete this step below:

Grant publish rights on your topic

Cloud Pub/Sub requires that you grant Gmail privileges to publish notifications to your topic.

To do this, you need to grant publish privileges to gmail-api-push@system.gserviceaccount.com. You can do this using the Cloud Pub/Sub Developer Console permissions interface following the resource-level access control instructions.