This sample shows how to Configure a CloudStorageSource
resource to deliver
Object Notifications for when a new object is added to Google Cloud Storage
Enable the
Cloud Storage API
on your project and give Google Cloud Storage permissions to publish to GCP Pub/Sub. Currently, we support two methods: automated script or manual-
Option 1 (Recommended, via automated scripts): Apply
Note: This script will need one parameter
: an optional parameter to specify the project to use, default togcloud config get-value project
If you want to specify the parameterPROJECT_ID
instead of using the default one,
./hack/ [PROJECT_ID]
Option 2 (manual):
Enable the
Cloud Storage API
on your project:gcloud services enable gcloud services enable
Give Google Cloud Storage permissions to publish to GCP Pub/Sub.
- First find the Service Account that GCS uses to publish to Pub/Sub (Either using UI or using curl as shown below)
- Option 1: Use the steps outlined in
Cloud Console or the JSON API
Assume the service account you found from above was
, you'd do:export
- Option 2: Use
to fetch the email:export GCS_SERVICE_ACCOUNT=`curl -s -X GET -H "Authorization: Bearer \`GOOGLE_APPLICATION_CREDENTIALS=./events-sources-key.json \ gcloud auth application-default print-access-token\`" \ "$PROJECT_ID/serviceAccount" \ | grep email_address | cut -d '"' -f 4`
Then grant rights to that Service Account to publish to GCP Pub/Sub.
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member=serviceAccount:$GCS_SERVICE_ACCOUNT \ --role roles/pubsub.publisher
Use an existing GCS Bucket, or create a new one. You can create a bucket either from the Cloud Console or by using gsutil
export BUCKET=<your bucket name>
in thecloudstoragesource.yaml
If you are in GKE and using Workload Identity, update
with the Kubernetes service account you created in Create a Service Account for the Data Plane, which is bound to the Pub/Sub enabled Google service account. -
If you are using standard Kubernetes secrets, but want to use a non-default one, update
with your own secret.
in thecloudstoragesource.yaml
By default, the Storage Notification will be created in the same project as your GKE cluster. However, if you are managing multiple projects, then you can specify
, which is the Google Cloud Project that the Storage Notification is created in. -
in thecloudstoragesource.yaml
and apply it.If you're in the storage directory, you can replace
and apply in one command:sed "s/BUCKET/$BUCKET/g" cloudstoragesource.yaml | \ kubectl apply --filename -
If you are replacing
manually, then make sure you apply the resulting YAML:kubectl apply --filename cloudstoragesource.yaml
[Optional] If not using GKE, or want to use a Pub/Sub topic from another project, uncomment and replace the
placeholder incloudstoragesource.yaml
and apply it. Note that the Service Account during the installation step should be able to manage multiple projects.If you're in the storage directory, you can replace
and then apply in one command:sed "s/BUCKET/$BUCKET/g" pullsubscription.yaml | \ sed "s/\#project: MY_PROJECT/project: $PROJECT_ID/g" | \ kubectl apply --filename -
If you are replacing
manually, then make sure you apply the resulting YAML:kubectl apply --filename cloudstoragesource.yaml
Create a
that the Storage notifications will sink into:kubectl apply --filename event-display.yaml
Upload a file to your BUCKET, either using the Cloud Console or gsutil:
gsutil cp cloudstoragesource.yaml gs://$BUCKET/testfilehere
Verify that the published message was sent by looking at the logs of the service that this Storage notification sinks to.
We need to wait for the downstream pods to get started and receive our event, wait 60 seconds. You can check the status of the downstream pods with:
kubectl get pods --selector app=event-display
You should see at least one.
Inspect the logs of the
:kubectl logs --selector app=event-display -c user-container --tail=200
You should see log lines similar to:
☁️ cloudevents.Event
Validation: valid
Context Attributes,
specversion: 1.0
source: //
subject: objects/myimage.jpeg
id: 1313899854146765
time: 2020-06-30T16:26:12.334Z
datacontenttype: application/json
knativearrivaltime: 2020-06-30T16:26:12.860787657Z
knsourcetrigger: link0.17754831512278457
traceparent: 00-dfa40189f717da88565d7f489e1cb356-fbe2f82875154c65-00
"kind": "storage#object",
"id": "knativegcp-rc1/myimage.jpeg/1593534371944198",
"selfLink": "",
"name": "myimage.jpeg",
"bucket": "knativegcp-rc1",
"generation": "1593534371944198",
"metageneration": "1",
"contentType": "image/jpeg",
"timeCreated": "2020-06-30T16:26:11.943Z",
"updated": "2020-06-30T16:26:11.943Z",
"storageClass": "STANDARD",
"timeStorageClassUpdated": "2020-06-30T16:26:11.943Z",
"size": "12268",
"md5Hash": "Gpx8dT1pF2lbIvLll9Ynyw==",
"mediaLink": "",
"crc32c": "zO8qSQ==",
"etag": "CIautZH6qeoCEAE="
You may have issues receiving desired CloudEvent. Please use Authentication Mechanism Troubleshooting to check if it is due to an auth problem.
- For more details on Cloud Pub/Sub formats refer to the Subscriber overview guide.
- For integrating with Cloud Pub/Sub, see the PubSub example.
- For integrating with Cloud Scheduler see the Scheduler example.
- For integrating with Cloud Audit Logs see the Cloud Audit Logs example.
- For integrating with Cloud Build see the Build example.
- For more information about CloudEvents, see the HTTP transport bindings documentation.
Delete the
kubectl delete -f ./cloudstoragesource.yaml
Delete the
kubectl delete -f ./event-display.yaml