Set publish rights for gmail in google pubsub gives permission denied

3
votes

I'm trying to set publish permissions for gmail to a pubsub topic in google cloud. The application where I implemented this code is running in AWS. It's a PHP application and I'm using version 2.0.0-RC7 of the google PHP api client.

In code, I implemented the flow as described in the documentation:

  • Create a topic (Works)
  • Create a subscription (works)
  • Grant publish rights to gmail (here I get stuck)

The first two actions are done with the same google client instance, that is authenticated with the service account credentials.

The code:

$scopes = [
    'https://www.googleapis.com/auth/pubsub',
    'https://mail.google.com',
];
$pushEndpoint = 'https://some.url/google_notifications/';

$client = new Google_Client();
$client->setScopes($scopes);
$client->setAuthConfig($serviceAccountInfo);
if ($client->isAccessTokenExpired()) {
    $client->refreshTokenWithAssertion();
}
$service = new Google_Service_Pubsub($client);

// This part works
$topicObject = new Google_Service_Pubsub_Topic();
$topicObject->setName($this->getTopicName());
$service->projects_topics->create($this->getTopicName(), $topic);

// This part also works
$push = new Google_Service_Pubsub_PushConfig();
$push->setPushEndpoint($pushEndpoint);

$subscription = new Google_Service_Pubsub_Subscription();
$subscription->setName($this->getSubscriptionName());
$subscription->setTopic($this->getTopicName());
$subscription->setPushConfig($push);
$service->projects_subscriptions->create($this->getSubscriptionName(), $subscription);

// This part gives the error
$binding = new Google_Service_Pubsub_Binding();
$binding->setRole('roles/pubsub.publisher');
$binding->setMembers(['serviceAccount:[email protected]']);

$policy = new Google_Service_Pubsub_Policy();
$policy->setBindings([$binding]);

$setRequest = new Google_Service_Pubsub_SetIamPolicyRequest();
$setRequest->setPolicy($policy);

try {
    $result = $service->projects_topics->setIamPolicy($this->getTopicName(), $setRequest);
    var_dump($result);
} catch (\Exception $e) {
    echo $e->getMessage();
}

The result is always:

{
  "error": {
    "code": 403,
    "message": "User not authorized to perform this action.",
    "errors": [
      {
        "message": "User not authorized to perform this action.",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

Can someone tell me what I'm doing wrong ? It's really annoying to set those permissions by hand all the time.

Thanks.

1
phpgoogle-apigmail-apigoogle-cloud-pubsub

1 Answers

1
votes

To use projects.topics.setIamPolicy method your service account must have a "Pub/Sub Admin" role. You can change a role of the account by visiting "IAM & admin" page for your project: https://console.cloud.google.com/iam-admin/iam