From ae00d51d3199491961713ce33c2f0266e7215628 Mon Sep 17 00:00:00 2001
From: Yi Zhang <cathyzhyi@google.com>
Date: Wed, 2 Sep 2020 15:03:12 +0000
Subject: [PATCH] Better ingress error message on permission denied

---
 pkg/broker/ingress/handler.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/broker/ingress/handler.go b/pkg/broker/ingress/handler.go
index c766204415..5fc4932571 100644
--- a/pkg/broker/ingress/handler.go
+++ b/pkg/broker/ingress/handler.go
@@ -34,6 +34,8 @@ import (
 	"github.com/google/wire"
 	"go.opencensus.io/trace"
 	"go.uber.org/zap"
+	grpccode "google.golang.org/grpc/codes"
+	grpcstatus "google.golang.org/grpc/status"
 	"k8s.io/apimachinery/pkg/types"
 	"knative.dev/eventing/pkg/kncloudevents"
 	"knative.dev/eventing/pkg/logging"
@@ -158,10 +160,18 @@ func (h *Handler) ServeHTTP(response nethttp.ResponseWriter, request *nethttp.Re
 	if res := h.decouple.Send(ctx, broker, *event); !cev2.IsACK(res) {
 		h.logger.Error("Error publishing to PubSub", zap.String("broker", broker.String()), zap.Error(res))
 		statusCode = nethttp.StatusInternalServerError
-		if errors.Is(res, ErrNotFound) {
+
+		switch {
+		case errors.Is(res, ErrNotFound):
 			statusCode = nethttp.StatusNotFound
-		} else if errors.Is(res, ErrNotReady) {
+		case errors.Is(res, ErrNotReady):
 			statusCode = nethttp.StatusServiceUnavailable
+		case grpcstatus.Code(res) == grpccode.PermissionDenied:
+			const msg string = "Failed to publish to PubSub because permission denied.\n" +
+				"Please refer to \"Configure the Authentication Mechanism for GCP\" at " +
+				"https://github.com/google/knative-gcp/blob/master/docs/install/install-gcp-broker.md"
+			nethttp.Error(response, msg, statusCode)
+			return
 		}
 		nethttp.Error(response, "Failed to publish to PubSub", statusCode)
 		return