Setting up pub/sub subscription across different project?

0
votes

In my GCP project (project A) I have created a Pub/sub topic (topicA) and messages published in this pub/sub topic needs to be consumed in other GCP project (project B) by Subscription (subscriptionB).

What's the recommended way of setting up subscriptionB ?

  1. Define subscriptionB in project A and add service account from project B with appropriate IAM permission.
  2. Define subscriptionB in project B. In cloud console it's possible to attach subscription from different topic by granting pubsub.topic.attachSubscription (shown below).

Is approach 2 even possible ? If yes, then when to use approach 2 and what all needs to be done for approach 2 ?

enter image description here

1
google-cloud-platformgoogle-cloud-pubsub

1 Answers

2
votes

The 2 approach are possible, and there is also a 3rd one.

  1. use the role roles/pubsub.subscriber on the service account of the projectB, on the subscription (or the project) of the project A
  2. You need to have the role roles/pubsub.subscriber on the topic that you want (or the project) on the project A. As defined in the message, you need, at least the permission pubsub.topics.attachSubscription on the topic (or the project). For this, you can create a custom role if you want to grant only this permission and not the 2 others of the role roles/pubsub.subscriber
  3. The third solution is based on the solution 1, create a subscription in the project A, but a Push subscription, and push the messages to a HTTP endpoint. No authentication required in the Project B this time. However, if you want to protect your HTTP endpoint (for example deployed on Cloud Run or Cloud Functions), you will need, in the push subscription in the projectA, to have the correct authorization to call the endpoint in projectB