Cross-project PubSub subscription via IAM ServiceAccount

0
votes

I have two projects Project-A and Project-B.

On Project-A I have a service account [email protected] which I want to use to read messages from Project-B PubSub topic.

I've created a topic subscription on Project-B projects/project-b/subscriptions/data. Then added [email protected] in Permissions tab as a Subscriber. I believe it should give me access.

But if I try:

TestIamPermissionsRequest iamreq = new TestIamPermissionsRequest();
iamreq.setPermissions(Arrays.asList(
        "pubsub.subscriptions.consume",
        "pubsub.subscriptions.get"
));
pubsub.projects().subscriptions()
        .testIamPermissions(topicSubscription, iamreq).execute();

It returns empty list of permissions.

And for actual pull request:

PullRequest pull = new PullRequest();
pull.setMaxMessages(1);
pull.setReturnImmediately(true);
pubsub.projects().subscriptions().pull(topicSubsription, pull).execute();

It fails with:

com.google.api.client.googleapis.json.GoogleJsonResponseException: 403
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "User not authorized to perform this action.",
    "reason" : "forbidden"
  } ],
  "message" : "User not authorized to perform this action.",
  "status" : "PERMISSION_DENIED"
}

I've double checked that service account is in Subscribers list, also tried to remove/add it again, etc. Tried with different project. It doesn't change anything.

If I have PubSub Topic Subscription and Service Account under same Cloud Project, then it works fine, for both testIamPermissions and pull requests. Does it mean that IAM Service Account cannot be used to get access to PubSub from another project?

Please note that it works fine for Storage access from other project. Which means that problem is specific only to PubSub. That's why I think I've missed something on PubSub configuration side. But what exactly?

1
javagoogle-cloud-platformgoogle-cloud-pubsub
It seem that Cloud Console is broken. Because if I add Subscriber permission directly through API it works as expected (still investigating...)Igor Artamonov
Seems like you're calling pubsub.projects().subscriptions().testIamPermissions against a topic, which seems incorrect.Takashi Matsuo
it's correct topic subscription, in form projects/%xxx%/subscriptions/%yyyy%. Client lib throws different exception if i'll try to pass invalid value thereIgor Artamonov
Ok, then why the variable name is topic?Takashi Matsuo
because it's topic's subscription, how I should call it? maybe i'm old fashioned guy, but it was always "topic" in every other Message Queue system. So I keep calling it "topic", sometimes it's hard to change your habbitsIgor Artamonov

1 Answers

1
votes

To consume from Topic Subscription role "Subscriber" should be given to the Subscription. Unfortunately it's not possible with Cloud Console right now.

The problem was that Cloud Console is misleading, by selecting a Topic I expect to setup permissions to Topic Subscriptions also (because there're no separate UI for Topic Subscriptions after all). But it's doesn't work like this, Permissions form applies changes only to selected Topic, ignoring all existing Topic subscriptions. Basically you cannot view or edit Subscriber permissions, there're no such UI currently.

PS There're a way to do that via API, though. But it doesn't work for my situation