0

I have a Node.js service running in GCP VM, running as a service account. Now I want to subscribe to a Pub/Sub topic. The Service account and the VM belong to Project A, the topic belongs to Project B.

I'm always getting Error: 7 PERMISSION_DENIED: User not authorized to perform this action.

What I have tried:

  • Adding https://www.googleapis.com/auth/pubsub to the scopes when creating the template of the VM. Seeing now Cloud Pub/Sub: Enabled in the API and identity management section of the instance. So, that seems to have worked.

  • Giving the service account the roles/pubsub.subscriber role via command gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

  • Giving the service account the "Pub/Sub subscriber" role in Project B:

enter image description here

  • Giving the service account access to the topic itself:

enter image description here

But still, the error is the same.

(Side note: If a GCP manager reads this: The GCP logs don't show any details. That's not helpful in this case. If you need four permissions to run something then I expect the logs to be like You need 4 permissions, your user has permission A, C, D, but lacking B and not just User not authorized to perform this action.)

cis
  • 1,259
  • 15
  • 48
  • Does this [thread 1](https://stackoverflow.com/questions/37623509/) and [thread 2](https://stackoverflow.com/questions/48463869/) solve your issue? – kiran mathew Mar 10 '23 at 13:17

2 Answers2

1

can you try my-project-b with a service accont from the my-project-a -

slightly modified your code:

gcloud projects add-iam-policy-binding my-project-b --member="serviceAccount:my-sa@my-project-a.iam.gserviceaccount.com" --role='roles/pubsub.subscriber'

and so on...

al-dann
  • 2,545
  • 1
  • 12
  • 22
  • Didn't work for me. And I think that it should be the same as `Giving the service account the "Pub/Sub subscriber" role in Project B` via the GUI (as mentioned above). What would be the difference? The reason why I've ran this as a command is that I haven't found such a thing in the GUI for the project A (which is the one owning the service account). – cis Mar 09 '23 at 12:06
  • well... it always worked for me. However, I've never tried such things through UI; tried only command line or terraform. – al-dann Mar 09 '23 at 12:17
0

What's your error? Is the error from "trying to create a subscription", or "trying to connect to a subscription and consume message"?

The former needs more permissions than Subscriber: projects.subscriptions.create

Subscriber can only consumer message, but not creating a new subscription: https://cloud.google.com/pubsub/docs/access-control#pubsub.subscriber

Ben Hu
  • 33
  • 1
  • 4
  • As you can read in my question, the action I'm trying to do i is `Now I want to subscribe to a Pub/Sub topic`. Nothing about creating it. Furthermore, I'm aware of the `roles/pubsub.subscriber` and I've tried to use that one. – cis Jun 27 '23 at 00:29
  • Have you already created a subscription to the topic? Your question wasn't clear what your business logic in the code is. – Ben Hu Jun 27 '23 at 01:03