Reputation: 19995
Using Google Cloud Dataflow with a Custom Service Account, Pub/Sub, and Least Privilege
I want to run Dataflow jobs with a per job dedicated custom service account.
Upon creation, the Dataflow job wants to create a new Pub/Sub subscription, on deployment, to use as the watermark tracking subscription. It has the form of <SOURCE_SUB_NAME>__df_internal<HASH> where SOURCE_SUB_NAME is the actual subscription that the Dataflow pipeline has been configured to pull data from.
My question is how this can be done under the Principle of Least Privilege using a custom service account for this specific Dataflow job. Since the job needs to create a copy of the source Pub/Sub subscription, it needs to make a new subscription on the Pub/Sub topic which feeds source subscription. However, even if I grant the job service account the roles/pubsub.subscriber OR roles/pubsub.editor on the topic in question, I still get 403 errors in the pipeline, trying to call the Subscriber.CreateSubscription API endpoint. Empirically, I found I could only get Dataflow to make the new tracking subscription if I granted roles/pubsub.editor against the entire GCP project.
Given that, how can you use PLP without making your Dataflow job a Pub/Sub Editor on the entire GCP project? Being a project wide Pub/Sub editor means your job could read from any other topic, thus giving it more potential data access than necessary for a given job.
Upvotes: 0
Views: 52
Answers (2)
Reputation: 75950
You have to use 2 custom roles.:
- ROLE_CREATION: Create subscription, with the permission
pubsub.subscriptions.create, thepubsub.subscriptions.get,pubsub.subscriptions.list,pubsub.subscriptions.updatecould be required, I don't know exact how work your dataflow pipeline - ROLE_ATTACHMENT: attach the subscription to the topic, permission
pubsub.topics.attachSubscription
With this 2 created, you have to grant your Dataflow Service Account like this:
- At the project level, grant the ROLE_CREATION custom role. Like this, Dataflow will be able to create a subscription.
- At the topic level, grant the ROLE_ATTACHMENT custom role. Like this, Dataflow will be able to use your topic.
By doing this, your dataflow can create multiple subscription, but can attach it only on the authorized topic, not on other. No data leakage like this.
Upvotes: 0
Reputation: 153
The error 403 refers to the incorrect IAM permission and as for your project, my insight is make a custom role with the permission only necessary to create and manage subscription (not the roles/pubsub.editor). After that, assign that custom role at the topic level (roles/pubsub.subscriber) and this will follow the PLP and avoid granting unnecessary permission.
Upvotes: 0
Related Questions
- Dataflow job throws error when publishing to Pub/Sub topic
- Dataflow Template Cloud Pub/Sub Topic vs Subscription to BigQuery
- Google Batch Job Notifications Not Arriving at Pub/Sub Topic
- How to use existing PubSub Subscription with Google-Provided PubSub to BigQuery Dataflow Template
- Dataflow: Stream pub/sub messages from different project
- VCP Google Cloud Platform's Dataflow Pub/Sub Topic to BigQuery not Pulling data from subscription
- Error when creating a Job in Dataflow (Current user cannot act as service account)
- Unable to subscribe to a google pub sub topic using a service account
- Google Cloud Dataflow: Accessing Google Cloud Pub/Sub in pipeline with DirectPipelineRunner (local job)?
- At what stage does Dataflow/Apache Beam ack a pub/sub message?