Configure push subscription endpoints with auth, retry policy, and dead-letter settings.
Last verified: May 2026
Configure push subscription endpoints with auth, retry policy, and dead-letter settings.
Required Fields
subscriptiontopicpushConfigpushConfig.pushEndpointretryPolicyOutput will appear here...The builder constructs a Pub/Sub subscription resource with pushConfig (pushEndpoint, oidcToken settings with serviceAccountEmail and audience), retryPolicy (minimumBackoff, maximumBackoff), deadLetterPolicy (deadLetterTopic, maxDeliveryAttempts), and ackDeadlineSeconds. Output is generated as gcloud pubsub subscriptions create commands and Terraform google_pubsub_subscription resources.
The GCP Pub/Sub Push Config Builder helps you configure push subscription settings for Google Cloud Pub/Sub topics. Push subscriptions deliver messages directly to an HTTPS endpoint rather than requiring pull-based consumption. This tool guides you through configuring the push endpoint URL, authentication (OIDC tokens), retry policies, dead-letter topics, and message ordering, generating the subscription configuration for deployment via gcloud or Terraform.
Your team's Cloud Run service receives Pub/Sub messages via push but is dropping ~2% of messages with no obvious cause. The builder reveals the missing dead-letter config — failures after 5 retries were being silently dropped. You add a DLT, set max attempts to 10, configure exponential backoff (1s to 600s), and add OIDC validation in the Cloud Run handler. Failed messages now end up in the DLT for inspection, retry rate drops to 0.1%, and you have audit visibility you didn't have before.
Always enable dead-letter topics (DLT) for production push subscriptions. Without a DLT, messages that fail delivery after maxDeliveryAttempts (default 5) are dropped silently. The DLT must be a separate Pub/Sub topic with its own subscriptions for reprocessing or alerting.
Push endpoints must respond with 2xx within the ack deadline (default 10s, max 600s). If your handler does substantial work, return 202 Accepted immediately and finish work async. Otherwise, slow handlers cause Pub/Sub to think delivery failed and retry, doubling load.
OIDC authentication on push subscriptions is the only secure pattern. Without it, ANY HTTPS POST to your endpoint with the right shape can spoof Pub/Sub messages. Set the audience claim to your endpoint URL and validate it server-side — this prevents replay attacks across endpoints in your project.
Use push when your subscriber is an HTTP service (like Cloud Run or an App Engine app) that can receive webhooks. Use pull when your subscriber is a background process, needs to control the rate of message processing, or processes messages in batches. Push is simpler but gives you less control over processing flow.
Pub/Sub can include an OIDC JWT token in the Authorization header of push requests. Your endpoint validates this token to verify the request came from Pub/Sub. This is configured in the push subscription's oidcToken settings and requires a service account with proper permissions.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.