Create a function with a GCS or PubSub trigger in another project [62373846]

Assigned

Feature Request

Status Update

No update yet.

Description

gr...@google.com

created issue #1

Jun 6, 2017 05:03PM

Issue summary: Provide a solution for cloud functions to trigger a pub/sub topic from a different project. For example, create a GCF with Pub/Sub Trigger using the REST API. Create the GCF in one project. And the Pub/Sub topic is in another project.

There are some workarounds. But currently there is no way to do that directly.

Comments

ya...@google.com <ya...@google.com> Jul 12, 2017 02:12PM

Assigned to gc...@google.com.

po...@gmail.com <po...@gmail.com> #2Jun 26, 2019 01:22AM

This is something that would be really useful, especially in the enterprise. Is there any update?

mp...@google.com <mp...@google.com> #3Jun 26, 2019 05:08PM

There are some workarounds until is implemented: using an HTTP function and Pub/Sub push subscriptions as per

http://stackoverflow.com/questions/43792782/can-cloud-functions-for-firebase-be-used-across-projects or use a with a "fan-in" helper, basically, a client in GCE that listens/subscribes to all topics that you are interested in across multiple projects, and then simply relays/publishes those message to the topic in the cloud function project. That client could use a dedicated service account that only has pub/sub permissions in other projects.
Please also follow this public issue tracker:

https://issuetracker.google.com/70628944

ja...@gmail.com <ja...@gmail.com> #4Jul 11, 2019 06:27AM

Another alternative is to use a Dataflow streaming job cross project from PubSub in Project A to PubSub in Project B, and then use a pull subscription on the duplicate topic now in the same project as the consuming CloudFunction.
Although these are workable, none of these solutions offer a non-public serverless approach to solving this problem. Running a GCE node or streaming job is a few thousand dollars per year in the Australian region, or the push requires more project coupling and a public end point.

pa...@axa.ch <pa...@axa.ch> #5Feb 9, 2021 12:40PM

Any update?

li...@liveramp.com <li...@liveramp.com> #6Mar 15, 2021 06:31PM

Any timelines for this feature's availability?

ch...@gmail.com <ch...@gmail.com> #7Jun 9, 2021 07:13PM

We've been waiting for four years now, so please share if this is even in the backlog

da...@gmail.com <da...@gmail.com> #8Sep 29, 2021 01:57PM

When can we expect this functionality?

lg...@google.com <lg...@google.com> #9Nov 22, 2021 06:00PM

Is there any update on this? Levi's is asking for it as well

so...@google.com <so...@google.com> #10Nov 22, 2021 06:50PM

Also, curious how other customers are solving this problem currently? Is there a workaround that our customers can use?

sc...@gmail.com <sc...@gmail.com> #11Nov 22, 2021 06:53PM

About workarounds:

https://stackoverflow.com/questions/70031895/google-cloud-pubsub-message-republishing-across-gcp-projects

I also would guess/hope that eventually the issue is to be solved with next versions of cloud functions...

ro...@sulamerica.com.br <ro...@sulamerica.com.br> #12Nov 22, 2021 07:11PM

Hi ! Workaround we used here was instead of publishing into a pub sub in another project, we used a Cloud task component (host project), to be consumed to a HTTP Function and then producing it into another pubsub.

https://cloud.google.com/tasks/docs/creating-http-target-tasks#token

Thats works for a cross project approach. FYI

Message last modified on Nov 22, 2021 07:12PM

rm...@google.com <rm...@google.com> #13Dec 9, 2021 07:55PM

Status: Won't Fix (Infeasible)

A workaround for this is to use a Pub/Sub push subscription that invokes your Cloud Function over HTTP. This is the officially supported way of doing it.

This is essentially what is being set up a function is created with a Cloud Storage bucket trigger.

ProjectA - where the Cloud Function resides, NOT the Cloud Storage bucket we wish to see notifications from
FunctionA - function handling the bucket notifications
ProjectB - where the bucket, Pub/Sub topic and Pub/Sub subscription reside
BucketB - bucket NOT in ProjectA that we want to have events invoke FunctionA
SubscriptionB - push subscription used to pass bucket changes to an HTTP endpoint (FunctionA)
TopicB - topic where messages about changes to BucketB go
ServiceaccountB - service account configured in TopicB that has permissions to invoke FunctionA in ProjectA

`ProjectA`: Configure the Cloud Function

create FunctionA
make sure FunctionA is HTTP invokable
grant permissions for a service account in ProjectB to invoke the function by adding it as a principal under Permissions in the FunctionA config (eg ServiceaccountB@projectb.iam.gserviceaccount.com)
get the HTTP trigger of FunctionA under the Trigger tab https://us-central1-projecta.cloudfunctions.net/FunctionA
save it

`ProjectB`: Create Pub/Sub TopicB and enable notifications

create TopicB
enable notifications on the bucket using gsutil notification create -t TopicB -f json gs://BucketB

`ProjectB`: Create a push subscription on `TopicB`

create SubscriptionB
set the push target at https://us-central1-projecta.cloudfunctions.net/FunctionA
enable authentication and set it as ServiceaccountB@projectb.iam.gserviceaccount.com
save SubscriptionB

Test by writing an object to BucketB, you should see invocations in the logs for FunctionA, or you will see Pub/Sub errors on SubscriptionB in ProjectB. The body of the POST to FunctionA will be data from the bucket.

The implementation of this feature is infeasible given the architecture of GCP and the way that the Cloud Function creation UI works, in that it needs to populate options by iterating all IAM allowed projects. It may be possible to add an entry field and verify later, but this is not part of the current product roadmap.

Message last modified on Apr 13, 2023 04:07PM

rm...@google.com <rm...@google.com> #14Dec 17, 2021 05:11PM

Assigned to gc...@google.com.

An update here; the product team would like to keep this open for consideration as they do believe it's something worth solving. However, we don't have a timeline for this, it is advised to use the workaround mentioned in the previous comment for the time being.

[Deleted User] <[Deleted User]> #15Jan 4, 2022 03:00PM

About answer #13, don't forget to set the audience string in Pub/Sub:

https://stackoverflow.com/a/66012003/8280773

br...@richemont.com <br...@richemont.com> #16Jan 20, 2022 02:58PM

About answer #14

We are using GCP in an very large enterprise context and we definitely need to have this limitation solved in a cloud native way. It would be a pity to install messaging services like rabbitmq because we cannot cover this use case when multiple GCP projects need to communicate with one another.

This issue has been opened four years ago. Could you not share what is your priority compared to all other tickets?

If PubSub is meant to be used as "global" messaging, this is a must-have feature.

er...@dv01.co <er...@dv01.co> #17Aug 18, 2022 03:42PM

Hey,

Has there been any update on this? We're encountering the same issue now where we want to have all of our topics/subscriptions live inside a single project and have cloud functions trigger in a separate project. Adding an intermediary listener adds extra complexity and managerial overhead to this ask which is why we started using cloud functions in the first place.

es...@google.com <es...@google.com> #18Jan 19, 2023 11:43PM

+1'ing from Cloud Marketplace. Our 3rd party SaaS partners need to integrate with Pub/Sub topics from a Google-owned project (ref). We want to encourage partners to use GCP for their underlying implementation to help further enterprise GCP adoption, but this limitation adds friction since they'd need to repipe the Pub/Sub events to a topic in their own project.

ad...@quantummetric.com <ad...@quantummetric.com> #19Jan 20, 2023 12:21AM

About answer #18

We ran into this while implementing Cloud Marketplace integration, as mentioned. We needed the extra push subscription to make it work. More moving parts to build, maintain and explain to others. Google-owned topic direct to Cloud Function would certainly make an all-Google solution feel streamlined.

rp...@ford.com <rp...@ford.com> #20Feb 17, 2023 05:07PM

Is Eventarc eliminating the extra push by any means?

om...@vodafone.com <om...@vodafone.com> #21Feb 21, 2023 01:29AM

About answer #14

We are in similar situation with 'answer #16', this workaround is not feasible within our organization. Please can you provide timeline for this as cloud native solution of this is crucial for us?

dh...@gmail.com <dh...@gmail.com> #22Jun 26, 2023 06:51AM

Here is the solution: Pub/Sub — Push Messages to Cloud Function Endpoint in a different GCP Project

Step 1: Ensure In API and services , Pub/Sub API is enabled

Step 2: In Project A, Go to Pub/Sub then create a pubsub topic from GUI by providing the topic ID as required with default settings (In projectA created topic projects/projectid/topics/dhanatest) and here is how we create topic from UI:

Step 3:In Project B, create a basic cloud function in python of 1st gen with http trigger (check Require https) and here is attached cloud function(function-dp) code I used in Project-- B and in the service account in Runtime , please give service account which has roles Cloud Functions Invoker, Pub/Sub Publisher, Pub/Sub Subscriber, Logging Admin () and Go to Cloud Functions from search UI and below is how to create simple cloud function from UI:

Step 4:

4a) Create a push subscription in Project B taking Project A’s topic from UI and click on Enable Authentication.

4b) After clicking Enable Authentication , It asks for Endpoint Url and service account ,so In Endpoint Url , Give https url from cloud function and for service account , give service account with roles Cloud Functions Invoker, Pub/Sub Publisher, Pub/Sub Subscriber, Logging Admin, leave remaining fields default and click on create to create subscription

Step 5:Now, Publish message from Project A and see the cloud function logs, We should see Function executed successfully with return code:200

Note:We can do the above thing not only from UI , we can do from Python code also to creaste subscriptionand here is the attached code, we can run from cloud shell the python file.

Message last modified on Jun 26, 2023 06:55AM

br...@gmail.com <br...@gmail.com> #23Jul 18, 2023 06:59PM

About answer #20

Has anyone succeeded by using eventarc? Push subscription is not allowed in VPC controlled projects so the workaround is not feasible for us.

di...@google.com <di...@google.com> #24Feb 14, 2024 05:26PM

Hi team , any update on this topic? What is the current( Feb 2024 ) recommended approach to have a Cloud functions in project B triggering from a Bucket in Project A ? Tnanks in advance!

li...@gmail.com <li...@gmail.com> #25Feb 27, 2024 03:06AM

This functionality would be doubly helpful, since products like Google Cloud Marketplace integrations expect you to be triggering Pub/Sub events in your code using a topic managed outside you project in the "cloudcommerceproc-prod" project.

re...@zazmic.com <re...@zazmic.com> #26Dec 30, 2024 03:20PM

By any chance it became available?