Reputation: 168
GCP PubSub Permissions for a topic
I am trying to create a service account that has permission to particular pubsub topic only.
I create a topic:
gcloud pubsub topics create mytopic
Then create a service account:
gcloud iam service-accounts create my-user \
--display-name "my-user"
Then trying to grant this service account permission:
gcloud alpha pubsub topics add-iam-policy-binding mytopic \
--member="serviceAccount:my-user@myproject.iam.gserviceaccount.com" \
--role='roles/pubsub.editor'
Get the service account json file:
gcloud iam service-accounts keys create \
--iam-account "my-user@myproject.iam.gserviceaccount.com" \
service-account.json
Using this service account json credentials I get denied creating a subscription to this topic.
If I give this user permissions to the entire project's pubsub, I am able to create a subscription to this topic but I dont want to give that much permission to this service account.
gcloud projects add-iam-policy-binding myproject \
--member="serviceAccount:my-user@myproject.iam.gserviceaccount.com" \
--role='roles/pubsub.editor'
I am trying to use this and it doesnt seem to work: https://cloud.google.com/sdk/gcloud/reference/alpha/pubsub/topics/add-iam-policy-binding
Am I missing something here? I would have thought that the role binding for this user to the topic would be enough permission?
Upvotes: 5
Views: 17321
Answers (2)
Reputation: 1899
for creating subscriptions, you need
pubsub.subscriptions.create on the containing Cloud project and pubsub.topics.attachSubscription on the requested topic
as pubsub.subscriptions.create is only contained in roles/
pubsub.editor (and ...admin), you might want to create a custom role for not giving away delete etc perms on topics and so on
on the requested topic, you can grant pubsub.subscriber for granting attachSubscription
via https://cloud.google.com/pubsub/docs/access-control#tbl_perm
Upvotes: 0
Reputation: 168
It turns out there are permissions on the subscription itself also. You need to give permission to that for the service account to be able to attach to it.
With this command: https://cloud.google.com/sdk/gcloud/reference/alpha/pubsub/subscriptions/add-iam-policy-binding
Upvotes: 9
Related Questions
- Pub-Sub - Get the Identity of Publisher to the Topic
- setIamPolicy for pubsub topics (at the resource level not project)
- Restrict user access to a topic/subscription in google pub/sub
- Can you write to GCP PubSub with write only permissions?
- GCP PUB/SUB allow different projects to publish to a topic
- Within Google Cloud, how can I set publish permissions for PubSub per function?
- Sharing my GCP pub/sub topic with customer to publish
- GCP PubSub not honoring inherited permissions
- GCP PubSub topic push issue
- Publish to a topic using Google Cloud Pubsub within Compute Engine