GCP PubSub not honoring inherited permissions

Question

Some of my service accounts are getting 403 (user not authorized) errors trying to publish/subscribe to PubSub. It appears it's not honoring "Inherited" permissions from Project level IAM.

I have verified the service accounts have IAM permissions to PubSub Subscriber & Viewer; and when I check the topic and subscriptions, they list the service accounts as type "Inherited". If I manually add the service account to the same permission from PubSub Console the UI lists it as "Mixed" and then it works.

Background - It was working before!

What's strange is this was working fine before. I accidentally deleted these same service accounts yesterday. I recreated them the same way, setup permissions the same way and it won't work. Also, the accounts that weren't deleted still work using "Inherited" permissions.

Some other things I've tried:

• Created service account with different name from what was deleted - didn't work
• Re-created topics/subs after creating service accounts and giving them project-wide permissions- didn't work

Long term I guess I'd prefer to control permissions per Topic/Sub; but I'm still baffled why this isn't working or what I've done wrong.

Answer 1

There currently seems to be a limitation with project-level permissions when a service account is deleted and recreated. The permissions for the newly created service account will not be propagated as expected.

If the service account is created with a different name, inherited permissions should work correctly. Note that permission propagation is not immediate and can have a delay. You may have to wait a few minutes to see the changes reflected.

For further assistance, you may need to contact Cloud Support so they can look into the specifics of your situation.