Reputation: 17
How to manage GCP permissions to create a subscription and allow deletion of only the subscritpion created by this service account?
I am trying to create a subscription during the application run time, the code should be able to create a subscription and clean it up after it finishes.
I want to do this with the least possible permissions to the service account I am using. For now, I have created a custom role and gave two access to the role pubsub.subscriptions.create , pubsub.subscriptions.delete.
Although this is allowing the creation and clean up of a subscription, it is allowing not only to delete the current subscription, but also the subscriptions created by other users in the same project.
How can I assign permissions, to be able to create subscriptions in Pub/Sub, delete the subscription created by this service account?
Another way to put it could be, how can I, create a subscription at run time and modify only this subscription's permission to includepubsub.subscriptions.delete. (with the same service account).Is there a way to make a service account admin/editor for the resources(topics, subscriptions, compute engine, etc.) created by this account? something like an IAM role - make admin after resource creation.
Related Documentation Links: https://cloud.google.com/pubsub/docs/access-control
Upvotes: 0
Views: 1048
Answers (1)
Reputation: 2605
This is impossible due to limitations of the Google IAM by design.
In Google IAM permissions correspond 1:1 with REST methods. To call a method, the caller needs that permission. In other words, permissions are granted on methods so that call them, and not on objects so that modify/rename/delete them, as would be necessary in your case. You want to delete a certain object, right?
To get more granular access, you need to assign a Policy with a Custom Role on a Subscription object explicitly, but you can hardly assign a Pub/Sub Custom Role below the Project level.
A Subscription creator does not become an "Admin" of the created object as it could be in an access management service with permissions assigned on objects. If explicit assigning of a Policy with a Custom Role on a freshly created Subscription was possible, it must be done by an account with a Role that can manage permissions: pubsub.admin for example. That means that you would have to grant this Role to your service account in addition to the existing Custom Role with the pubsub.subscriptions.create and *.delete permissions. As soon as you do this, the least privilege principle becomes meaningless.
Understanding IAM custom roles
Cloud IAM Documentation > Understanding roles > Pub/Sub roles
Access Control > Required permissions
Upvotes: 1
Related Questions
- GCP Pubsub Bigquery Subscriptions - can't create due to missing permissions
- GCP - IAM Restrict Delete access for Admin Role
- GCP: Cross-project PubSub subscription consumption: PERMISSION DENIED
- Restrict user access to a topic/subscription in google pub/sub
- Can you write to GCP PubSub with write only permissions?
- How can I know which admin delete pub/sub subscription in GCP?
- GCP PubSub not honoring inherited permissions
- GCP marketplace - service provider subscription permissions
- GCP PubSub Permissions for a topic
- Performing the association of an existing service account to a newly created subscription in gcloud