Giving GCP service account Pub/Sub rights for topic in different project

Question

I have a Node.js service running in GCP VM, running as a service account. Now I want to subscribe to a Pub/Sub topic. The Service account and the VM belong to Project A, the topic belongs to Project B.

I'm always getting Error: 7 PERMISSION_DENIED: User not authorized to perform this action.

What I have tried:

• Adding https://www.googleapis.com/auth/pubsub to the scopes when creating the template of the VM. Seeing now Cloud Pub/Sub: Enabled in the API and identity management section of the instance. So, that seems to have worked.

• Giving the service account the roles/pubsub.subscriber role via command gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

• Giving the service account the "Pub/Sub subscriber" role in Project B:

• Giving the service account access to the topic itself:

But still, the error is the same.

(Side note: If a GCP manager reads this: The GCP logs don't show any details. That's not helpful in this case. If you need four permissions to run something then I expect the logs to be like You need 4 permissions, your user has permission A, C, D, but lacking B and not just User not authorized to perform this action.)

Answer 1

What's your error? Is the error from "trying to create a subscription", or "trying to connect to a subscription and consume message"?

The former needs more permissions than Subscriber: projects.subscriptions.create

Subscriber can only consumer message, but not creating a new subscription: https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber

Answer 2

can you try my-project-b with a service accont from the my-project-a -

slightly modified your code:

gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

and so on...