Shopify Webhooks & Google Pub/Sub: Cracking the Permissions Puzzle

View original discussion by Clique256 on Shopify Community →

Decoding the 403: Shopify Webhooks and Google Pub/Sub Headaches

Ever felt like you're banging your head against a wall trying to get Shopify webhooks to play nice with Google Pub/Sub? You're definitely not alone! I was browsing the Shopify Community forums the other day and stumbled upon a thread where a user, @Clique256, was facing a classic problem: webhooks registering successfully (getting that sweet 201 status code), but then failing with a dreaded 403 error in the Dev Dashboard.

It’s like, Shopify says "Okay, I'll create that webhook!" but then Google slams the door in its face. Frustrating, right?

The Permission Trap: Pub/Sub Editor vs. Publisher

The key takeaway from this thread, and what I've seen trip up many developers, is understanding the specific permissions needed for the Shopify service account to publish to your Pub/Sub topic. @Expertthub nailed it with this piece of advice:

The biggest thing: Shopify doesn’t need Pub/Sub Editor. It needs Pub/Sub Publisher specifically. Even though Editor sounds higher, Google separates publishing from editing. Give the Shopify service account the Pub/Sub Publisher role on the topic itself, not just the project.

This is crucial. It's tempting to think "Editor" is the all-encompassing role, but Google's Pub/Sub service distinguishes between editing and publishing rights. Shopify only needs to publish messages to the topic, so the "Pub/Sub Publisher" role is the correct one.

Think of it like a newspaper: Shopify needs to be able to submit articles (publish), it doesn't need to change the layout or manage subscriptions (edit).

Step-by-Step: Granting the Correct Permissions

Here's how to make sure you've got the right permissions set up:

  1. Identify the Shopify Service Account: This is typically [email removed].
  2. Navigate to your Pub/Sub Topic: In the Google Cloud Console, go to Pub/Sub and select your topic.
  3. Add the Shopify Service Account as a Principal: Click on the "Permissions" tab.
  4. Grant the "Pub/Sub Publisher" Role: Add [email removed] as a principal and assign it the "Pub/Sub Publisher" role. Make sure you are assigning this role to the **topic** itself, not just the Google Cloud project.

It sounds simple, but it's easy to miss! @Clique256 even admitted that they initially added the permission to the subscription instead of the topic, which is another common mistake.

Debugging Without Error Messages: A Community Effort

One of the frustrating aspects of this issue, as @Clique256 pointed out, is the lack of detailed error messages in the Dev Dashboard. The 403 error is a clue, but it doesn't tell you why the request was forbidden. This is where the Shopify Community really shines. Sharing experiences and solutions, even without perfect documentation, helps everyone get unstuck.

Here's the original issue reported by @Clique256:

In my case, I have a python server that creates webhooks with the rest API (calling …/webhooks.json). The webhooks calls seem to work (getting 201), and querying for webhooks, I do get the created webhooks back. The pubsub also seems to work, as I’m able to listen to it, and send fake pubsubs to myself and receive them. I’ve double checked the URI and it is pubsub://: which is the standard URI for a Google pubsub to the best of my knowledge?

In the Dev Dashboard under monitoring, I do see that webhooks calls are failing, with 403, but there’s no error message as to why. It could be permissions to send to that pubsub, but I’ve added [email removed] as a principal with the role of “Pub/Sub Editor” to the pubsub topic itself. This is what the documentation mentioned. My guess is that there’s more to it in terms of permissions, but without any error message I cannot debug this further.

Beyond Permissions: Double-Checking Your Setup

While permissions are the most common culprit, it's always worth double-checking a few other things:

  • Pub/Sub Topic URI: Make sure your webhook URI is correctly formatted: pubsub://:
  • Project ID: Verify that you're using the correct Google Cloud Project ID.
  • Topic ID: Ensure the topic ID matches the one you created in Google Cloud.

The Shopify documentation (Subscribe to a webhook topic) is a good starting point, but, as @Clique256 mentioned, it might not cover all the nuances. That's why community discussions are invaluable!

Ultimately, @Clique256 resolved their issue by granting the correct "Pub/Sub Publisher" permission to the Shopify service account on the Pub/Sub topic. It's a simple fix, but easy to overlook. Hopefully, this helps you avoid the same headache!

Share:

Start with the tools

Explore migration tools

See options, compare methods, and pick the path that fits your store.

Explore migration tools