Google PubSub - serviceAccount:gmail-api-push@system.gserviceaccount.com doesn't exist

Question

I am trying to subscribe to Gmail for mail notifications using Google's Pub/Sub and I've gone through the documentation and tutorials provided by Google. At one point, the docs state that I need to publish the correct rights to my PubSub topic:

You need to grant publish privileges to serviceAccount:gmail-api-push@system.gserviceaccount.com. You can do this using the Cloud Pub/Sub Developer Console permissions interface following the resource-level access control instructions.

My understanding is that the publish privilege is equivalent to pubsub.topics.publish or just "PubSub Publisher". But what about the serviceAccount:gmail-api-push@system.gserviceaccount.com? I cant' find that service account anywhere and the console is not letting me create it due to character restrictions. Is there another way to get this account?

Answer 1

Permissions are set by Pub/Sub Topic in the Pub/Sub Topics section of the GCP Console.

• Go to the Google Cloud Console.

• From the Hamburger menu, go to Big Data -> Pub/Sub -> Topics. Shortcut to this location: https://console.cloud.google.com/projectselector2/cloudpubsub/topicList

• Click the checkbox for the Topic.

• At the right side of the console, select "SHOW INFO PANEL".

• Click Add members

• Enter the service account and select the desired role. Usually Pub/Sub Publisher.

Answer 2

You do not need to create the gmail service account, it already exists. You are correct about “granting publish privileges” as the same as “Pub/Sub Publisher”.

Under the topic permissions interface, I would pass in the service account gmail-api-push@system.gserviceaccount.com (note: take out the leading “serviceAccount:” part) in the ‘new members’ field, and select “Pub/Sub Publisher” as the role.

I am guessing you couldn’t find the service account because you were looking up serviceAccount:gmail-api-push@system.gserviceaccount.com.