This page shows you how to resolve issues that you might encounter when using
Eventarc Advanced.
HTTP 503 Service Unavailable errors
If you encounter an HTTP 503 Service Unavailable error for a pipeline that
routes messages to a Google destination using a DNS address—for example,
Cloud Run, Pub/Sub, Workflows, or
another Eventarc Advanced bus—make sure that
Private Google Access is enabled on the
subnet used in the network attachment; otherwise, the DNS address can't be
resolved.
CMEK issues
You can use customer-managed encryption keys (CMEK)
to protect Eventarc.
The keys are created and managed through Cloud Key Management Service (Cloud KMS). The
following table describes different CMEK issues and how to resolve them when
using Cloud KMS with Eventarc.
Issues that occur when creating or updating Eventarc resources
CMEK issue
Error message
Description
Disabled key
$KEY is not enabled, current state is: DISABLED
The provided Cloud KMS key has been disabled for an
Eventarc resource. Events or messages associated with the
resource are no longer protected.
Key region $REGION must match the resource to be protected
The provided KMS key region is different from the region of the
channel.
Solution:
Use a Cloud KMS key from the same region.
Note that for channels in multi-region eu, you should protect
it using a Cloud KMS key in multi-region europe. For
more information, see
Cloud KMS locations
and Eventarc
multi-region locations.
Organization policy constraint
project/PROJECT_ID violated org policy constraint
Eventarc is integrated with the following two
organization policy constraints to help ensure CMEK usage across an
organization. Any existing Eventarc resource isn't subject
to a policy that is set after the resource is created; however, updating
the resource might fail.
constraints/gcp.restrictNonCmekServices causes all
resource creation requests without a specified Cloud KMS key to
fail.
Ensure that the Eventarc service agent has been granted the
cloudkms.cryptoKeyEncrypterDecrypter
role and has been added as a principal to the Cloud KMS key.
For more information, see
Grant the
Eventarc service account access to a key.
To resolve issues that you might encounter when using externally managed keys
through Cloud External Key Manager (Cloud EKM), see
Cloud EKM error reference.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-25 UTC."],[[["Eventarc Advanced is a pre-GA feature, subject to specific terms and with limited support."],["HTTP `503 Service Unavailable` errors can occur if Private Google Access is not enabled on the subnet when routing messages to Google destinations using a DNS address."],["Customer-managed encryption key (CMEK) issues, such as disabled keys, exceeded quotas, mismatched regions, or organization policy constraints, can impact Eventarc resources, and the solutions are detailed."],["During event delivery, CMEK-related issues, like disabled keys, exceeded quotas, or permission errors, can occur, each with specific troubleshooting steps."],["For issues with externally managed keys via Cloud External Key Manager (Cloud EKM), refer to the Cloud EKM error reference for guidance."]]],[]]