-
Notifications
You must be signed in to change notification settings - Fork 592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pub/Sub: IAM Permissions Required to Subscribe Unclear #1502
Comments
@tmatsuo any insight? |
Sorry to bother you guys again, but I would really like to know the answer to this. If I need to have admin privileges to publish to a topic then I need to reconsider my application design or find a new pub/sub provider. Thanks! |
Did you mean subscribe to a topic?
You shouldn't need admin rights to publish to a topic... If you do, that's just broken. Can you confirm if that's happening? You should be required to have write privileges on the topic in order to publish, but I don't think that's the issue you're seeing. I suspect that the issue here is that "subscribing" here (with auto-create) is actually "creating a subscription", which the "Pub/Sub Subscriber" role should allow you to do, but doesn't appear to do... (https://cloud.google.com/pubsub/access_control#tbl_roles) Can you test adding the If that does work, I'd guess that the right fix is to allow "subscribers" to create subscriptions, as well as update and delete subscriptions they've created. |
@jgeewax My apologies for the typo. I did mean to say subscribe, as that is what is in my code sample. I can try your suggestions and get back to you later today. Thanks! |
@MarkHerhold how did it go? |
According to this table, |
I have the same issue. I have two service accounts: one for publishing and other for subscribing. The 1st is OK and I can publish to a topic. The second always returns me The same happens with the editor role. I really don't know what's happening, since I did it equal to the 1st one. publisher: https://github.com/embatbr/livermore-collectors |
I tried with PubSub Admin role. There was some errors due to node version (4 instead of 6). I updated and it was running. However, the PubSub Subscriber role still has authentication problems. |
This isn't immediately clear from most examples, but the Here's a pattern that worked for me based on this comment after adding "Pub/Sub Viewer" and "Pub/Sub Subscriber" IAM permissions directly on the subscription (no project-wide permissions necessary): const pubsub = require('@google-cloud/pubsub')({ projectId: PROJECT_ID })
const topic = pubsub.topic(TOPIC_NAME)
const subscription = topic.subscription(SUBSCRIPTION_NAME)
subscription.get((err, subscription) => {
// topic.subscribe() handlers go here
// opts that you might have set as part of the subscribe() call
// need to be set directly on the subscription in this scheme
// subscription.autoAck = true
}) |
Confirming that if I create an IAM service account with the |
This issue doesn't seem to be specific to Node, I've got the problem as well with Go... |
I also found this thread via hitting the same problem using the Go SDK - this misleading role seems to be a common point of confusion. |
I am having the same issue. It seems that editor role does not work to create topics or subscription in golang. Also one the error was telling that another service account that's the one I am using did not have permission, which confused the hell out of me. |
You need to distinguish between using an existing subscription ( For the latter case, the problematic permission (not role) is To work around this issue, just create a custom role. Put the |
I am facing the same issue. I am not creating a new subscriber rather listening to an existing subscriber that I created on the GCP console. Only service accounts with Pub/Sub Admin privileges are able to subscribe, all others are getting a "User not authorized to perform this action." SDK used: NodeJs It only worked with Pub/Sub Admin. @thedmi Are you sure it worked for you? |
Why is this issue closed? I am hitting the same exact problem. I am trying to attach to an existing subscription and getting I use GO sdk, but that seems to not matter, as this seems to be a problem in Google's Pub/Sub IAM. |
For me it turned out I had to assign ALL pubsub roles to the ServiceAccount to have it publish/subscribe messages. Literally just assing all the 6 or 7 |
I realize that this is closed but leaving this here anyway for anyone else who finds it. Sorry the test code is in Go but it should be easy enough to translate to Node or just test using the CLI. Bug ReportNOTE: Not really sure if this is a "bug" as it seems to be working the way it was designed but it's very unclear on how to use the standard roles provided to subscribe and consume messages from a topic. NOTE: All roles were granted to the service account from the subscription not from the project When creating service accounts to use our Pub/Sub topics I gave the accounts that only need to read from topics the The least permissive standard role that works is The least permissive set of permissions to achieve the goal of reading form a topic, processing and acking can be accomplished with the following custom role:
Repro Steps
ExpectedA message is received ActualAn error is received:
Minimum Perms Needed to SubscribeAfter some testing, I determined this is the minimum set of permissions needed to subscribe and process messages. Code used for testing provided below.
Test CodePushing data via CLI:
|
I was faced the same problem when subscribing to an existed subscription. I received PermissionDenied with Pub/Sub subscriber, but OK with Pub/Sub Editor. Have no idea why :| |
Same issue in python. I had to create a sepeate PubSub API key and export its location to environment variables for it to function. |
Add a configuration property that will skip attempting to create the pubsub subscription. For #13 Note the default subscriber role still will not work, minimal permissions can be granted as described here googleapis/google-cloud-node#1502 (comment).
@Conky5 sorry, Is it fixed? Same problem here with Node @google-cloud/pubsub 0.22.2 |
@bgbraga if you're asking if my pull request fixed the underlying google pubsub iam subscription issue, no, that change was for a different purpose... |
@Conky5 : Is this fixed in the latest version? |
If I create an IAM service account with the
View
andSubscribe
roles, I am unable to subscribe to an existing topic in pub/sub. It seems I must use anadmin
role. Some clarification on the roles required to do various things would be nice. I'm not sure if the issue is being cause by the node client or if I am actually missing roles that are needed.Environment details
Steps to reproduce
If I create a service account that has an admin pub/sub role, I can connect to the service as expected.
The text was updated successfully, but these errors were encountered: