Replies: 1 comment
-
|
I was able to verify that Asynq isn't the issue here. Please feel free to remove this post, if needed. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
Background
I have a simple a service written in Go that receives a request and makes a read request to the Google Cloud Storage(GCS) bucket. This service is deployed in Google Kubernetes Engine(GKE) in the same project as the GCS bucket. GKE is using Workload Identity User to make requests to the storage bucket. This workload identity user is bound to one of the Service Accounts which has the storage admin permissions on the bucket that the service wants to read from.
All in all, I have verified, by using a Python script that uses the aforementioned Workload Identity User to make read/write requests to the storage bucket, that permissions and access are working correctly. My service leverages Asynq to accept the incoming requests asynchronously. Asynq mux server is started as part of the service's constructor using a go routine:
Problem
I am able to enqueue requests. Requests get picked up by the AsynqMuxServer using its HandleFunc function. However, when a call is made to the storage bucket, I get the following error:
"error":"googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).</Details></Error>"Given that all permissions and access are otherwise working, my suspicion is that the problem is with the AsynqMuxServer not utilizing the Workload Identity User which GCS recognizes.
Questions
FYI @hibiken
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions