Restrict user access to a topic/subscription in google pub/sub

Question

In my project, project A publishes a message and project B pulls it out of Google cloud. I have several B clients and want to limit them to a specific topic and subscription. I tried the IAM conditions but it does not work for pubsub and seems to be only for pubsub lite. Does anyone know how to restrict user access to a particular topic and subscription?

Answer 1

You can grant roles at different level:

• Organization
• Folder
• Project
• Resource

When you go to the IAM page, you grant at the project level and thus you have access to all the resources of the project.

You should be in this case where you grant a service account of the project B to pubsub role on project A. And thus the service account has access to all topics/subscriptions.

---

To solve this, you can only grant a service account on a topic or on a subscription (at resource level)

• Go to the topic or subscription page
• Tick the checkbox in front of the resource that you want
• Go to the right, in the info panel, in the permission tab
• Click on add member to grant a service account (or a user account) only on this resource

---

Alternatively, you can use the method projects.topics.setIamPolicy of the PubSub API to set permissions at the resource level.

If you don't want to call the API directly, you can also use CLI with this command

gcloud pubsub topics set-iam-policy TOPIC POLICY_FILE