Pub/Sub: IAM Permissions Required to Subscribe Unclear

[MarkHerhold]

If I create an IAM service account with the View and Subscribe roles, I am unable to subscribe to an existing topic in pub/sub. It seems I must use an admin role. Some clarification on the roles required to do various things would be nice. I'm not sure if the issue is being cause by the node client or if I am actually missing roles that are needed.

Environment details

• OS: Mac OSX
• Node.js version: v6.3.0
• npm version: 3.10.3
• @google-cloud/pubsub version: 0.1.1

Steps to reproduce

const pubsub = require('@google-cloud/pubsub');

const JOB_QUEUE = 'new_job';

const pubsubClient = pubsub({
    projectId: 'myproject-goes-here',
    keyFilename: '/Users/Mark/creds.json'
});

const newJobTopic = pubsubClient.topic(JOB_QUEUE);

newJobTopic.subscribe(JOB_QUEUE, {
    reuseExisting: true
}, function(err, subscription) {
    console.error(err); // Error: User not authorized to perform this action.
});

If I create a service account that has an admin pub/sub role, I can connect to the service as expected.

[stephenplusplus]

@tmatsuo any insight?

[MarkHerhold]

Hi @stephenplusplus @tmatsuo

Sorry to bother you guys again, but I would really like to know the answer to this. If I need to have admin privileges to publish to a topic then I need to reconsider my application design or find a new pub/sub provider. Thanks!

[jgeewax]

If I need to have admin privileges to publish to a topic then I need to reconsider my application design

Did you mean subscribe to a topic?

If I need to have admin privileges to subscribe to a topic then I need to reconsider my application design

You shouldn't need admin rights to publish to a topic... If you do, that's just broken. Can you confirm if that's happening? You should be required to have write privileges on the topic in order to publish, but I don't think that's the issue you're seeing.

I suspect that the issue here is that "subscribing" here (with auto-create) is actually "creating a subscription", which the "Pub/Sub Subscriber" role should allow you to do, but doesn't appear to do... (https://cloud.google.com/pubsub/access_control#tbl_roles)

Can you test adding the pubsub.subscriptions.create permission on the project for your service account? If that works, then we know the fix, and I can go to the Pub/Sub team and we can figure out what the right way to solve this is...

If that does work, I'd guess that the right fix is to allow "subscribers" to create subscriptions, as well as update and delete subscriptions they've created.

[MarkHerhold]

@jgeewax My apologies for the typo. I did mean to say subscribe, as that is what is in my code sample. I can try your suggestions and get back to you later today. Thanks!

[stephenplusplus]

@MarkHerhold how did it go?

[MarkHerhold]

Sorry for the delay. I chose to pursue a solution that doesn't involve the use of GCP's Pub/Sub. I will still try to answer to your question though.

Can you test adding the pubsub.subscriptions.create permission on the project for your service account?

Where can I do this? I don't see anything in the console that corresponds to what you are asking me to do. Is there a gcloud command that you have in mind?

Here are the current set of permissions that I have on the service account:

[stephenplusplus]

According to this table, pubsub.subscriptions.create is a permission under the Editor role. So from the drop down, there should be a Pub/Sub Editor role which would include that permission. Hopefully that helps, thanks for trying this stuff out!

[embatbr]

I have the same issue. I have two service accounts: one for publishing and other for subscribing. The 1st is OK and I can publish to a topic. The second always returns me { [Error: User not authorized to perform this action.] code: 403, metadata: Metadata { _internal_repr: {} } }.

The same happens with the editor role.

I really don't know what's happening, since I did it equal to the 1st one.

publisher: https://github.com/embatbr/livermore-collectors
subscriber: https://github.com/embatbr/livermore-ingestors

[embatbr]

@stephenplusplus

[embatbr]

I tried with PubSub Admin role. There was some errors due to node version (4 instead of 6). I updated and it was running. However, the PubSub Subscriber role still has authentication problems.

[bkoski]

This isn't immediately clear from most examples, but the topic.subscribe() call attempts to create a new subscription each time it runs (see discussion here: #1257).

Here's a pattern that worked for me based on this comment after adding "Pub/Sub Viewer" and "Pub/Sub Subscriber" IAM permissions directly on the subscription (no project-wide permissions necessary):

const pubsub = require('@google-cloud/pubsub')({ projectId: PROJECT_ID }) 
const topic = pubsub.topic(TOPIC_NAME)
const subscription = topic.subscription(SUBSCRIPTION_NAME)

subscription.get((err, subscription) => {
   // topic.subscribe() handlers go here

   // opts that you might have set as part of the subscribe() call
   // need to be set directly on the subscription in this scheme
   // subscription.autoAck = true
})