Cannot connect to pubsub on GKE pods

Hey, I’m facing a weird issue with my pods! I have a vpc native cluster, with all configuration settle! I have workload identity configured( with GKE_METADATA applied on each node).

I’m able to connect with postgres without any problem, configuring all service account roles permission, but with pubsub I’m unable!

fail to publish message rpc error: code │ = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

Doesn’t matter what kind of operation I try, publish a message or consume it I’m receiving that kind of error. Do I miss something on my configuration? I dont remember needing to apply any certificate authority on my side.

Hi @Kaueh

Welcome to Google Cloud Community!

Here are few steps you may want to verify with the issue you are facing:

• Review the role/permission assigned to the service account that is doing a published message. You may see this guide for the list of permission and its definitions for pub/sub.
• If your app requires subscription authentication, you check this guide to further setup your application.
• You also need to check if the workload identity federation is setup properly by verifying IAM policy binding, this guide shows on how to configure workload identity federation for GKE.

I hope this information is helpful.

If you need further assistance, you can always file a ticket on our support team.

I have solved the issue! First of all, thanks for the support on that! The main problem was not on any on my setup on both cluster or service account. Actually my docker image is based on scratch, which contains nothing, so It wasn’t containing all the certificates needed to execute.