Dapr Pub/Sub Failure¶
Use this playbook when publish or subscribe paths fail, messages disappear, or only some apps can see the topic traffic.
Symptom¶
- Publishers return errors when sending to the Dapr pub/sub component.
- Subscribers never receive events even though publishers report success.
- Only some apps consume messages in the same environment.
- The incident begins after a component edit, secret rotation, or app rename.
flowchart TD
A[Publish or subscribe path fails] --> B[Verify app Dapr settings]
B --> C[Inspect pubsub component]
C --> D{Component exists in environment}
D -->|No| E[Create or restore component]
D -->|Yes| F[Check scopes]
F --> G{Publisher and subscriber are allowed}
G -->|No| H[Correct scopes list]
G -->|Yes| I[Check metadata and secret references]
I --> J{Broker reachable}
J -->|No| K[Fix network, identity, or secret issue]
J -->|Yes| L[Retest message flow]Possible Causes¶
- The pub/sub component is missing or misnamed.
- The component type or broker metadata is wrong.
- Publisher or subscriber apps are excluded by
scopes. - Secret or managed identity configuration for the broker is invalid.
- The application points to the wrong pub/sub component or topic name.
Diagnosis Steps¶
- Check the publisher and subscriber Dapr settings.
- Inspect the environment-level pub/sub component definition.
- Compare the component name in the app code or sidecar call with the actual component name.
- Verify that all intended apps are allowed by
scopes.
az containerapp show \
--name "$APP_NAME" \
--resource-group "$RG" \
--query "properties.configuration.dapr" \
--output json
az containerapp env dapr-component list \
--name "$CONTAINER_ENV" \
--resource-group "$RG" \
--output table
az containerapp env dapr-component show \
--name "$CONTAINER_ENV" \
--resource-group "$RG" \
--dapr-component-name "pubsub" \
--output yaml
| Command | Why it is used |
|---|---|
az containerapp show --name "$APP_NAME" --resource-group "$RG" --query "properties.configuration.dapr" --output json | Confirms that the app is using Dapr and exposes the app ID context for pub/sub routing checks. |
az containerapp env dapr-component list --name "$CONTAINER_ENV" --resource-group "$RG" --output table | Verifies that the intended pub/sub component exists in the environment. |
az containerapp env dapr-component show --name "$CONTAINER_ENV" --resource-group "$RG" --dapr-component-name "pubsub" --output yaml | Shows the component type, metadata, secret references, and scopes that control message flow. |
KQL for symptom capture:
let AppName = "ca-myapp";
ContainerAppConsoleLogs_CL
| where TimeGenerated > ago(4h)
| where ContainerAppName_s == AppName
| where Log_s has_any ("dapr", "pubsub", "publish", "subscribe", "topic", "error", "failed")
| project TimeGenerated, RevisionName_s, Log_s
| order by TimeGenerated desc
Resolution¶
- Reconcile the component name used by the application with the deployed component name.
- Fix
scopesso both the publisher and subscriber apps can load the component. - Correct broker metadata, credentials, or network reachability.
- Reapply the component and test a single known topic end to end.
az containerapp env dapr-component set \
--name "$CONTAINER_ENV" \
--resource-group "$RG" \
--dapr-component-name "pubsub" \
--yaml "./pubsub.yaml"
| Command | Why it is used |
|---|---|
az containerapp env dapr-component set --name "$CONTAINER_ENV" --resource-group "$RG" --dapr-component-name "pubsub" --yaml "./pubsub.yaml" | Reapplies the corrected pub/sub component definition after fixing name, metadata, scopes, or credentials. |
Prevention¶
- Version-control Dapr component YAML alongside app configuration.
- Use explicit component names and topic names across environments.
- Include pub/sub smoke tests in deployment validation.
- Review
scopeswhenever an app is renamed or newly added to the environment.