From 961d16ae98ee82f2467fc3dd228a13bbe22756eb Mon Sep 17 00:00:00 2001
From: Tianzi Cai <anguillanneuf@gmail.com>
Date: Thu, 12 Dec 2019 17:59:46 -0800
Subject: [PATCH] add a setup step in CLI

---
 appengine/standard_python37/pubsub/README.md | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/appengine/standard_python37/pubsub/README.md b/appengine/standard_python37/pubsub/README.md
index 029077281d6..4b0a1499dd3 100644
--- a/appengine/standard_python37/pubsub/README.md
+++ b/appengine/standard_python37/pubsub/README.md
@@ -13,7 +13,13 @@ Before you can run or deploy the sample, you will need to do the following:
 
 1. Enable the Cloud Pub/Sub API in the [Google Developers Console](https://console.developers.google.com/project/_/apiui/apiview/pubsub/overview).
 
-2. Create a topic and subscription. Your push auth service account must have Service Account Token Creator Role assigned, which can be done in the Cloud Console [IAM & admin](https://console.cloud.google.com/iam-admin/iam) UI. `--push-auth-token-audience` is optional. If set, remember to modify the audience field check in `main.py` (line 88).
+1. Allow Cloud Pub/Sub to create authentication tokens in your project.
+
+        $ gcloud projects add-iam-policy-binding [your-project-id] \
+            --member=serviceAccount:service-[your-project-number]@gcp-sa-pubsub.iam.gserviceaccount.com \
+            --role=roles/iam.serviceAccountTokenCreator
+
+1. Create a topic and subscription. The `--push-auth-service-account` flag activates the Pub/Sub push functionality for Authentication and Authorization. Pub/Sub messages pushed to your endpoint will carry the identity of this service account. You may use an existing service account or create a new one. The `--push-auth-token-audience` flag is optional; if set, remember to modify the audience field check in `main.py`.
 
         $ gcloud pubsub topics create [your-topic-name]
         $ gcloud beta pubsub subscriptions create [your-subscription-name] \
@@ -21,10 +27,10 @@ Before you can run or deploy the sample, you will need to do the following:
             --push-endpoint=\
                 https://[your-app-id].appspot.com/_ah/push-handlers/receive_messages?token=[your-token] \
             --ack-deadline=30 \
-            --push-auth-service-account=[your-service-account-email] \
+            --push-auth-service-account=[your-service-account] \
             --push-auth-token-audience=example.com
 
-3. Update the environment variables in ``app.yaml``.
+1. Update the environment variables in ``app.yaml``.
 
 ## Running locally