I've created a service account I intend to use in our development environment, and since its credentials are checked into source control, I want to lock down its access to the bare minimum.
When spinning up new hosts, our app creates a new PubSub subscription, listens on the newly created subscription, then deletes it when finished. We chose this model over having a number of preconfigured/hardcoded subscriptions because the number of hosts scales up and down with time, we don't want host-specific config (In the form of a host-subscription map) if possible, etc. We want to have this same behavior in our local development environments ideally for debugging.
I created a specific "development" topic and granted our development service account the Pub/Sub Admin role, allowing it to attach subscriptions to that topic. I also granted the service account the project-level permission that allows it to create subscriptions. The service account can successfully create a new subscription and attach it to the topic, but when it tries to read from the new subscription, I receive a permission denied error.
I'm guessing this is because, when checking the newly created subscription, I notice that the service account that created it is not granted any permissions of any kind to that subscription. I would've expected the account that created a subscription to at least have read rights to it.
Is there a way for a service account to create subscriptions, attach them to a topic, and then read from that subscription... while not giving the service account access to any other subscriptions or topics? I'm aware I could just give the service account a "higher level" role with access to read all subscriptions, but that defeats the purpose of having a development-only account.
