From 8203b8414f0338d72c0812dc7b50fc11480f7e1b Mon Sep 17 00:00:00 2001
From: Yi Zhang <cathyzhyi@google.com>
Date: Wed, 2 Sep 2020 15:03:12 +0000
Subject: [PATCH] Better ingress error message on permission denied

---
 pkg/broker/ingress/handler.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/broker/ingress/handler.go b/pkg/broker/ingress/handler.go
index c766204415..de888d48ca 100644
--- a/pkg/broker/ingress/handler.go
+++ b/pkg/broker/ingress/handler.go
@@ -23,6 +23,8 @@ import (
 	"time"
 
 	cev2 "github.com/cloudevents/sdk-go/v2"
+	grpcstatus "google.golang.org/grpc/status"
+	grpccode "google.golang.org/grpc/codes"
 	"github.com/cloudevents/sdk-go/v2/binding"
 	"github.com/cloudevents/sdk-go/v2/binding/transformer"
 	ceclient "github.com/cloudevents/sdk-go/v2/client"
@@ -158,10 +160,18 @@ func (h *Handler) ServeHTTP(response nethttp.ResponseWriter, request *nethttp.Re
 	if res := h.decouple.Send(ctx, broker, *event); !cev2.IsACK(res) {
 		h.logger.Error("Error publishing to PubSub", zap.String("broker", broker.String()), zap.Error(res))
 		statusCode = nethttp.StatusInternalServerError
-		if errors.Is(res, ErrNotFound) {
+
+		switch {
+		case errors.Is(res, ErrNotFound):
 			statusCode = nethttp.StatusNotFound
-		} else if errors.Is(res, ErrNotReady) {
+		case errors.Is(res, ErrNotReady):
 			statusCode = nethttp.StatusServiceUnavailable
+		case grpcstatus.Code(res) == grpccode.PermissionDenied:
+			const msg string = "Failed to publish to PubSub because permission denied.\n" +
+			"Please refer to \"Configure the Authentication Mechanism for GCP\" at " +
+			"https://github.com/google/knative-gcp/blob/master/docs/install/install-gcp-broker.md"
+			nethttp.Error(response, msg, statusCode)
+			return
 		}
 		nethttp.Error(response, "Failed to publish to PubSub", statusCode)
 		return