How to add subscriber role and publisher role to deadletter for google cloud pubsub using nodeJS?

0
votes

We've been following https://cloud.google.com/pubsub/docs/dead-letter-topics and nodeJS client to create, update our pubsub topics and subscriptions but after following:

async function createSubscriptionWithDeadLetterPolicy() {
  // Creates a new subscription
  await pubSubClient.topic(topicName).createSubscription(subscriptionName, {
    deadLetterPolicy: {
      deadLetterTopic: pubSubClient.topic(deadLetterTopicName).name,
      maxDeliveryAttempts: 10,
    },
  });
  console.log(
    `Created subscription ${subscriptionName} with dead letter topic ${deadLetterTopicName}.`
  );
  console.log(
    'To process dead letter messages, remember to add a subscription to your dead letter topic.'
  );
}

We get this in the dead-letter enter image description here

This Suggests running the command in CLI for each dead-letter but we don't want to do it manually for each subscription is there a way to do this in nodeJS client itself? Or doing so for all the subscriptions once and for all even for the new subscriptions that will be created in given project later on.

2
node.jsgoogle-cloud-pubsubgoogle-api-nodejs-client

2 Answers

1
votes

According to this part of the documentation, you need to grant 2 roles to the PubSub service agent service account. And of course, you can do it by API calls. And, it's not so easy!

In fact, it's not difficult, just boring! Why? Because, you can't only "add" a policy, you set the whole policies. To achieve this:

  • Get all the existing policies
  • Add your policy in the existing list
  • Submit the new list of policies.

You need to do this:

  • Either globally by setting the policies at the project level. Easier but less secure (break the least privilege principle)
  • Or on each Dead Letter topic and on each subscription with Dead Letter set up.

You have code example in the Client library doc

EDIT1

If you script the grant access mechanism, you don't care to find it or not: it exists, that's all! Maybe you don't view it on the console, but it exists. Only the pattern is important:

service-<project-number>@gcp-sa-pubsub.iam.gserviceaccount.com

If you are looking for it on the console, it's tricky now! You have to go to Access -> IAM. And then click on the check box on the top rigth corner to display the Google technical accounts

enter image description here

0
votes

In case anyone needs it, here are the functions that I made up from @guillaume blaquiere's answer:

  private async bindPolicyToSubscriber(
    subscriptionTopicName: string,
    subscriptionName: string,
  ) {
    if (process.env.PROJECT_NUMBER) {
      try {
        const pubSubTopic = this.getClient().topic(subscriptionTopicName);
        const myPolicy = {
          bindings: [
            {
              role: 'roles/pubsub.subscriber',
              members: [
                `serviceAccount:service-${process.env.PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com`,
              ],
            },
          ],
        };
        await pubSubTopic
          .subscription(subscriptionName)
          .iam.setPolicy(myPolicy);
      } catch (e) {
        console.error('Error while binding policy.', e);
      }
    }
  }

  private async bindPolicyToDeadLetterTopic(deadLetterTopicName: string) {
    if (process.env.PROJECT_NUMBER) {
      try {
        const pubSubTopic = this.getClient().topic(deadLetterTopicName);
        const myPolicy = {
          bindings: [
            {
              role: 'roles/pubsub.publisher',
              members: [
                `serviceAccount:service-${process.env.PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com`,
              ],
            },
          ],
        };
        await pubSubTopic.iam.setPolicy(myPolicy);
      } catch (e) {
        console.error('Error while binding policy.', e);
      }
    }
  }