pubsub permission question regarding getTopic and getSubscription

[fondberg]

We would like to have a service account with access only to subscribe to a topic and not t to publish or create anything else than create its subscription on one topic if the subscription doesn't exists.

Given the code below what is needed to get it to work without granting access to the actual project?

  private static void ensureTopicAndSubscriptionExist(
      PubSub pubsub, String topic, String subscription) {
   
    if (pubsub.getTopic(topic) == null) {
      throw new IllegalStateException("Topic does not exist: " + topic);
    }
   
    if (pubsub.getSubscription(subscription) == null) {
      LOG.info("creating PubSub subscription={} for topic={}", subscription, topic);
      pubsub.create(SubscriptionInfo.of(topic, subscription));
      LOG.info("created PubSub subscription={} for topic={}", subscription, topic);
    }
  }

We only get this to work if the service account user has edit rights on the project

[mziccard]

Hi @fonzy2013!

Did you have a look at the Access Control page in Pub/Sub docs? From your code it seems that you need to be able to get topics, get subscriptions, subscribe to topics and pull messages.
From the docs it seems that you need to grant to the user the following roles:

• Pub/Sub Viewer: allows to get/list topics and subscriptions
• Pub/Sub Subscriber: allows to create subscriptions and pull messages
  Have you tried this?

If you already know the topic/subscription you want to grant access to you should be able to grant the above permissions only on the topic/subscription you are interested in.

[fondberg]

Thanks, it doesn't work so I guess I will file a support ticket elsewhere as here is only for the high level java api...

[mziccard]

Sounds like a plan, I am closing this but please feel free back what the solution to the problem was!

[fondberg]

OK