#
Pubsub Access Control
This section describes the access control options available to you in Google Cloud Pub/Sub. Google Cloud Pub/Sub uses Google Cloud Identity and Access Management(IAM) for access control.
In Google Cloud Pub/Sub, access control can be configured at the project level and at the individual resource level. For example:
- Grant access on a per-topic or per-subscription basis, rather than for the whole Cloud project.
- Grant access with limited capabilities, such as to only publish messages to a topic, or to only consume messages from a subscription, but not to delete the topic or subscription.
- Grant access to all Google Cloud Pub/Sub resources within a project to a group of developers.
Every Google Cloud Pub/Sub method requires the caller to have the necessary permissions. The following sections summarize the permissions and roles Google Cloud Pub/Sub IAM supports.
Pubsub Permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
projects.subscriptions.acknowledge |
pubsub.subscriptions.consumeon the requested subscription. |
projects.subscriptions.create |
pubsub.subscriptions.createon the containing Cloud project, andpubsub.topics.attachSubscriptionon the requested topic. |
projects.subscriptions.delete |
pubsub.subscriptions.deleteon the requested subscription. |
projects.subscriptions.get |
pubsub.subscriptions.geton the requested subscription. |
projects.subscriptions.getIamPolicy |
pubsub.subscriptions.getIamPolicyon the requested subscription. |
projects.subscriptions.list |
pubsub.subscriptions.liston the requested Cloud project. |
projects.subscriptions.modifyAckDeadline |
pubsub.subscriptions.consumeon the requested subscription. |
projects.subscriptions.modifyPushConfig |
pubsub.subscriptions.updateon the requested subscription. |
projects.subscriptions.pull |
pubsub.subscriptions.consumeon the requested subscription. |
projects.subscriptions.setIamPolicy |
pubsub.subscriptions.setIamPolicyon the requested subscription. |
projects.subscriptions.testIamPermissions |
None. |
projects.topics.create |
pubsub.topics.createon the containing Cloud project. |
projects.topics.delete |
pubsub.topics.deleteon the requested topic. |
projects.topics.get |
pubsub.topics.geton the requested topic. |
projects.topics.getIamPolicy |
pubsub.topics.getIamPolicyon the requested topic. |
projects.topics.list |
pubsub.topics.liston the requested Cloud project. |
projects.topics.publish |
pubsub.topics.publishon the requested topic. |
projects.topics.setIamPolicy |
pubsub.topics.setIamPolicyon the requested topic. |
projects.topics.testIamPermissions |
None. |
projects.topics.subscriptions.list |
pubsub.topics.geton the requested topic. |
Pubsub roles
The following table lists the Google Cloud Pub/Sub IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
| Role | includes permission(s): | for resource type: |
|---|---|---|
roles/pubsub.publisher |
pubsub.topics.publish |
Topic |
roles/pubsub.subscriber |
pubsub.subscriptions.consume |
Subscription |
pubsub.topics.attachSubscription |
Topic | |
roles/pubsub.vieweror roles/viewer |
pubsub.topics.list |
Project |
pubsub.topics.get |
Topic | |
pubsub.subscriptions.list |
Project | |
pubsub.subscriptions.get |
Subscription | |
roles/pubsub.editoror roles/editor |
All of the above, as well as: | |
pubsub.topics.create |
Project | |
pubsub.topics.delete |
Topic | |
pubsub.topics.update |
Topic | |
pubsub.subscriptions.create |
Project | |
pubsub.subscriptions.delete |
Subscription | |
pubsub.subscriptions.update |
Subscription | |
roles/pubsub.adminor roles/owner |
All of the above, as well as: | |
pubsub.topics.getIamPolicy |
Topic | |
pubsub.topics.setIamPolicy |
Topic | |
pubsub.subscriptions.getIamPolicy |
Subscription | |
pubsub.subscriptions.setIamPolicy |
Subscription |
Note that the role roles/owner, roles/editor, and roles/viewerinclude permissions for other Google Cloud Platform services as well.
Access Control via the Google Cloud Pub/Sub IAM API
The Google Cloud Pub/Sub IAM API lets you set and get policies on individual topics and subscriptions in a project, and test a user's permissions for a given resource. As with the regular Google Cloud Pub/Sub methods, you can invoke the IAM methods via the client libraries, or the API Explorer, or directly over HTTP.
Note that you cannot use the Google Cloud Pub/Sub IAM API to manage policies at the Cloud Project level.
The following sections give examples for how to set and get a policy, and how to test what permissions a caller has for a given resource.
Get a Policy
The methodgetIamPolicy()allows you to get a policy that was previously set. This method returns a JSON object containing the policy associated with the resource.
Here is some sample code to get a policy for a subscription:
GET https://pubsub.googleapis.com/v1/projects/myproject/subscriptions/mysubscription:getIamPolicy?key={YOUR_API_KEY}
-- Response:
200 OK
{
"etag": "AxxxxxxY/c=",
"bindings": [
{
"role": "roles/pubsub.admin",
"members": [
"user:[email protected]"
]
},
{
"role": "roles/pubsub.editor",
"members": [
"user:[email protected]",
"user:[email protected]"
]
}
]
}
Here is some sample code to get a policy for a topic:
GET https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:getIamPolicy?key={YOUR_API_KEY}
-- Response:
200 OK
{
"etag": "Awxxxxxxxxc=",
"bindings": [
{
"role": "roles/viewer",
"members": [
"user:[email protected]"
]
}
]
}
Set a Policy
ThesetIamPolicy()method lets you attach apolicyto a resource. ThesetIamPolicy()method takes aSetIamPolicyRequest, which contains the policy to be set and the resource to which the policy is attached. It returns the resulting policy.
Here is some sample code to set a policy for a subscription:
POST https://pubsub.googleapis.com/v1/projects/myproject/subscriptions/mysubscription:setIamPolicy?key={YOUR_API_KEY}
{
"policy": {
"bindings": [
{
"role": "roles/pubsub.admin",
"members": [
"user:[email protected]"
]
},
{
"role": "roles/pubsub.editor",
"members": [
"user:[email protected]",
"user:[email protected]"
]
}
]
}
}
-- Response:
200 OK
{
"etag": "Awxxxxxxxxc=",
"bindings": [
{
"role": "roles/pubsub.admin",
"members": [
"user:[email protected]"
]
},
{
"role": "roles/pubsub.editor",
"members": [
"user:[email protected]",
"user:[email protected]"
]
}
]
}
Test Permissions
You can use thetestIamPermissions()method to check which of the given permissions the caller has for the given resource. It takes as parameters a resource name and a set of permissions, and returns the subset of permissions that the caller has.
Here is some sample code to test permissions for a subscription:
POST <...>/subscriptions/mysubscription:testIamPermissions?key={YOUR_API_KEY}
{
"permissions": [
"pubsub.subscriptions.consume",
"pubsub.subscriptions.update"
]
}
-- Response:
200 OK
{
"permissions": [
"pubsub.subscriptions.consume"
]
}
Sample Use Case: Cross-Project Communication
Google Cloud Pub/Sub IAM is useful for fine-tuning access in cross-project communication. For example, suppose a service account in Cloud Project A wants to publish messages to a topic in Cloud Project B. You could accomplish this by granting the service account Edit permission in Cloud Project B. However, this approach is often too coarse. You can use the IAM API to achieve a more fine-grained level of access.
For example, this snippet uses thesetIamPolicy()method to grant the service account[email protected]the publisher role on the topicprojects/myproject/topics/mytopic:
POST https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:setIamPolicy?key={YOUR_API_KEY}
{
"policy": {
"bindings": [
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/pubsub.publisher"
}
]
}
}