Some of my service accounts are getting 403 (user not authorized) errors trying to publish/subscribe to PubSub. It appears it's not honoring "Inherited" permissions from Project level IAM.
I have verified the service accounts have IAM permissions to PubSub Subscriber & Viewer; and when I check the topic and subscriptions, they list the service accounts as type "Inherited". If I manually add the service account to the same permission from PubSub Console the UI lists it as "Mixed" and then it works.
Background - It was working before!
What's strange is this was working fine before. I accidentally deleted these same service accounts yesterday. I recreated them the same way, setup permissions the same way and it won't work. Also, the accounts that weren't deleted still work using "Inherited" permissions.
Some other things I've tried:
- Created service account with different name from what was deleted - didn't work
- Re-created topics/subs after creating service accounts and giving them project-wide permissions- didn't work
Long term I guess I'd prefer to control permissions per Topic/Sub; but I'm still baffled why this isn't working or what I've done wrong.
