GCP Pub/Sub

Detailed documentation on the GCP Pub/Sub component

Create a Dapr component

To setup GCP pubsub create a component of type pubsub.gcp.pubsub. See this guide on how to create and apply a pubsub configuration

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: gcp-pubsub
  5. spec:
  6.   type: pubsub.gcp.pubsub
  7.   version: v1
  8.   metadata:
  9.   - name: type
  10.     value: service_account
  11.   - name: projectId
  12.     value: <PROJECT_ID> # replace
  13.   - name: identityProjectId
  14.     value: <IDENTITY_PROJECT_ID> # replace
  15.   - name: privateKeyId
  16.     value: <PRIVATE_KEY_ID> #replace
  17.   - name: clientEmail
  18.     value: <CLIENT_EMAIL> #replace
  19.   - name: clientId
  20.     value: <CLIENT_ID> # replace
  21.   - name: authUri
  22.     value: https://accounts.google.com/o/oauth2/auth
  23.   - name: tokenUri
  24.     value: https://oauth2.googleapis.com/token
  25.   - name: authProviderX509CertUrl
  26.     value: https://www.googleapis.com/oauth2/v1/certs
  27.   - name: clientX509CertUrl
  28.     value: https://www.googleapis.com/robot/v1/metadata/x509/<PROJECT_NAME>.iam.gserviceaccount.com #replace PROJECT_NAME
  29.   - name: privateKey
  30.     value: <PRIVATE_KEY> # replace x509 cert
  31.   - name: disableEntityManagement
  32.     value: "false"
  33.   - name: enableMessageOrdering
  34.     value: "false"
  35.   - name: maxReconnectionAttempts # Optional
  36.     value: 30
  37.   - name: connectionRecoveryInSec # Optional
  38.     value: 2

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described here.

Spec metadata fields

FieldRequiredDetailsExample
typeNGCP credentials type. Only service_account is supported. Defaults to service_accountservice_account
projectIdYGCP project idmyproject-123
identityProjectIdNIf the GCP pubsub project is different from the identity project, specify the identity project using this attribute“myproject-123”
privateKeyIdNIf using explicit credentials, this field should contain the private_key_id field from the service account json document“my-private-key”
privateKeyNIf using explicit credentials, this field should contain the private_key field from the service account json——-BEGIN PRIVATE KEY——-MIIBVgIBADANBgkqhkiG9w0B
clientEmailNIf using explicit credentials, this field should contain the client_email field from the service account json“myservice@myproject-123.iam.gserviceaccount.com”
clientIdNIf using explicit credentials, this field should contain the client_id field from the service account json106234234234
authUriNIf using explicit credentials, this field should contain the auth_uri field from the service account jsonhttps://accounts.google.com/o/oauth2/auth
tokenUriNIf using explicit credentials, this field should contain the token_uri field from the service account jsonhttps://oauth2.googleapis.com/token
authProviderX509CertUrlNIf using explicit credentials, this field should contain the auth_provider_x509_cert_url field from the service account jsonhttps://www.googleapis.com/oauth2/v1/certs
clientX509CertUrlNIf using explicit credentials, this field should contain the client_x509_cert_url field from the service account jsonhttps://www.googleapis.com/robot/v1/metadata/x509/myserviceaccount%40myproject.iam.gserviceaccount.com
disableEntityManagementNWhen set to “true”, topics and subscriptions do not get created automatically. Default: “false”“true”, “false”
enableMessageOrderingNWhen set to “true”, subscribed messages will be received in order, depending on publishing and permissions configuration.“true”, “false”
maxReconnectionAttemptsNDefines the maximum number of reconnect attempts. Default: 3030
connectionRecoveryInSecNTime in seconds to wait between connection recovery attempts. Default: 22

Warning

If enableMessageOrdering is set to “true”, the roles/viewer or roles/pubsub.viewer role will be required on the service account in order to guarantee ordering in cases where order tokens are not embedded in the messages. If this role is not given, or the call to Subscription.Config() fails for any other reason, ordering by embedded order tokens will still function correctly.

Create a GCP Pub/Sub

You can use either “explicit” or “implicit” credentials to configure access to your GCP pubsub instance. If using explicit, most fields are required. Implicit relies on dapr running under a Kubernetes service account (KSA) mapped to a Google service account (GSA) which has the necessary permissions to access pubsub. In implicit mode, only the projectId attribute is needed, all other are optional.

Follow the instructions here on setting up Google Cloud Pub/Sub system.

Last modified July 27, 2022: Remove namespace element from component examples (#2647) (ff9de5c8)