I have succesfully deployed a 2nd generation cloud function with a storage trigger per the google tutorial.

The Cloud Function works when I run a test command in the shell. But if I try for real by uploading a file to my bucket the could function is not invoked.

I can see that the event triggers the pubsub topic:

And in Eventarc I can see signs of the problem:

So, my layman analyse of why the cloud function invokation fails is that I lack some permission for Eventarc to receive the message from PubSub (?). I have read Eventarc troubleshooting and Eventarc accesscontrol and tried to add the eventarc admin role to the eventarc serviceaccount (as seen in image below) but to no result. (I've also added it to any other service account I can find, made the compute service account project owner, etc. but no luck). What am I missing?

(Note, I had an earlier question about this but with broader scope but I opted for a new, more specific question)

Check if your Pub/Sub service account has the iam.serviceAccountTokenCreator role. This could be the case if you enabled the Pub/Sub service account on or before April 8, 2021. (https://cloud.google.com/eventarc/docs/roles-permissions)

If you create a new eventarc trigger in the console you'll get a warning when the Pub/Sub service account doesn't have this role and you can enable it right there.

Stumble across the same issue, and found the solution at the "Permissions" tab of the cloud function I was trying to trigger.

Here is the solution that worked for me:

1. Find the service account that eventarc is using;
2. On IAM page give that principal the "Cloud Run Invoker" role;

Seems to be only necessary with the 2nd generation cloud functions.

You used the Compute Engine default Service Account.

You need to give the needed permissions to this Service Account :

According to the documentation :

Make sure the runtime service account key you are using for your Application Default Credentials has either the cloudfunctions.serviceAgent role or the storage.buckets.{get, update} and the resourcemanager.projects.get permissions. For more information on setting these permissions, see Granting, changing, and revoking access to resources.

Please check in IAM page if the default Service Account has the following permissions :

• cloudfunctions.serviceAgent
• storage.buckets.{get, update}
• resourcemanager.projects.get

Also, don't hesitate to check in Cloud logging to see the exact error and the missing permissions.

After working through the permissions issues I also had to allow the pubsub service account like so...

resource "google_project_iam_member" "pubsubtoken" {
  project = "example"
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = "serviceAccount:service-####@gcp-sa-pubsub.iam.gserviceaccount.com"
}

Where ### is the gcp project number , so the trigger now works, when copying files to the bucket.

I plan to populate this from data shortly, like data.google_project.project.number

I faced a similar case. I was trying to activate a Workflow with Eventarc whenever a new file was created in a Bucket.
I observed the same behavior on my Eventarc screen.
The solution was to assign the role roles/workflows.invoker to the Service Account (SA) used in the Eventarc (I used the same SA for both Eventarc and the Workflow).
You may need to assign the role roles/cloudfunctions.invoker to your SA.

If you notice, the graph you post in your question is the Invocations graph, so my proposal makes sense.

I've spent a lot of time fixing the same issue. It helped to press "TRIGGER CLOUD FUNCTION" in Pub/Sub UI

Google Cloud UI suggested to give missing permissions to another service account. I've pressed "Grant All" and it helped to fix the issue.

The permission was missing not to my <project-id>-compute service account but to another.