This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Subject: Gen2 Function (Python 3.11/us-central1) Not Logging/Executing on GCS Trigger - Despite Edit

Posted on 04-25-2025 02:02 PM
tigereon69
New Member
Reply posted on --/--/---- --:-- AM

Goal: Trigger the function using Python 3.11 when a file is finalized in the GCS bucket gs://loadsnap-prod-tickets.

Problem: Despite successful function deployment, apparently correct trigger configuration, and broad IAM permissions, file uploads to the bucket do not result in the function's application code logging any output (not even a simple "start" message). However, Cloud Run request logs do appear in Cloud Logging around the time of the upload, suggesting the invocation request might be hitting the service endpoint, but the function code itself isn't running or logging.

(We initially saw Cloud Run 401 Unauthorized errors, prompting extensive IAM troubleshooting, but the current lack of any application logs persists even after escalating permissions significantly).

Current Debugging Setup:

  1. Simplified Function Code (functions/main.py):
Python
 
import functions_framework
import logging
import sys
import traceback # Import traceback module

# --- Test Log 1: Module Level ---
logging.basicConfig(level=logging.INFO)
logging.info("--- main.py module loaded ---")

@functions_framework.cloud_event
def parse_ticket_handler(cloud_event):
    """
    Bare minimum function to test invocation, with enhanced logging.
    """
    # --- Test Log 2: Handler Level ---
    logging.info("--- parse_ticket_handler function started ---")

    try:
        event_id = cloud_event["id"]
        event_type = cloud_event["type"]
        logging.info(f"Received event ID: {event_id}, Type: {event_type}")
    except Exception as e:
        # --- Test Log 3: Error Handling ---
        logging.error(f"!!! EXCEPTION in parse_ticket_handler: {e}", exc_info=True)
        raise

    # --- Test Log 4: Handler End ---
    logging.info("--- parse_ticket_handler function finished ---")
    return None
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  1. Simplified Requirements (functions/requirements.txt):
functions-framework
  1. Last Successful Deployment Command: (Note: An earlier Eventarc trigger was deleted before running this)
Bash
 
gcloud functions deploy parse-ticket-v2 \
  --gen2 \
  --runtime=python311 \
  --region=us-central1 \
  --source=./functions \
  --entry-point=parse_ticket_handler \
  --service-account=loadsnap-ocr-sa@loadsnap-prod.iam.gserviceaccount.com \
  --allow-unauthenticated \
  --project=loadsnap-prod \
  --trigger-event-filters="type=google.cloud.storage.object.v1.finalized" \
  --trigger-event-filters="bucket=loadsnap-prod-tickets"

  1. IAM Configuration:

    • Function runs as SA: loadsnap-ocr-sa@loadsnap-prod.iam.gserviceaccount.com
    • For debugging, this SA currently has project-level roles/editor. (Least privilege attempts failed previously).
    • roles/run.invoker was explicitly granted to the Pub/Sub SA (service-266229951076@gcp-sa-pubsub.iam.gserviceaccount.com) AND the function's SA (loadsnap-ocr-sa@...) on the parse-ticket-v2 Cloud Run service itself.
    • --allow-unauthenticated was used during deployment.

  2. Trigger Info:

    • Configured via the deployment flags above.
    • Checking the underlying auto-created Pub/Sub subscription shows it's ACTIVE and the pushConfig uses an OIDC token authenticating as the function's SA (serviceAccountEmail: loadsnap-ocr-sa@...).

Troubleshooting Done:

  • Verified service health (gcloud run services describe shows healthy, startup probe passes).
  • Verified trigger/subscription configuration (gcloud eventarc triggers describe, gcloud pubsub subscriptions describe).
  • Granted broad Editor role to function SA.
  • Explicitly granted specific Invoker roles to relevant SAs on the Run service.
  • Used extremely simplified code.
  • Encountered various gcloud functions deploy CLI errors during the process related to trigger specification (actAs denied, missing bucket filter, Trigger type must be specified).

Question for the Community:

Given that the trigger seems configured, the service is healthy, IAM should be sufficient (Editor role!), and even minimal code doesn't log - what could be preventing the function code from executing or logging successfully?

Are there known issues with Python 3.11 Gen2 runtime/logging, Eventarc/Pub/Sub delivery silent failures, or other non-obvious configurations (like network policies, VPC-SC) that could cause this behavior without clear error messages in standard logs? Any further debugging suggestions?

Thanks in advance!

0 1 198
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
mcbsalceda
Staff
Reply posted on --/--/---- --:-- AM

Hi @tigereon69,

Welcome to Google Cloud Community!

It looks like your function is getting invoked at the Cloud Run level (request logs show up), but the handler isn’t actually executing—usually due to an event format mismatch or entry-point issue. Make sure the incoming GCS event matches what your function expects. Eventarc sends CloudEvents—if there's a mismatch, your code won’t run. You can learn more about the CloudEvents specification at the CloudEvents GitHub repository

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all