How do I set up cross-project Pub/Sub topic access using IAM policies?
In this guide, we will set up cross-project access to Google Cloud Pub/Sub topics using IAM policies. This involves creating a Pub/Sub topic in one project and granting access to a service account from another project.
Steps:
- Create a Pub/Sub topic in the publisher project.
- Create a service account in the subscriber project.
- Grant the service account permission to access the Pub/Sub topic.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
// Define the projects
const publisherProject = "publisher-project-id";
const subscriberProject = "subscriber-project-id";
// Create a Pub/Sub topic in the publisher project
const topic = new gcp.pubsub.Topic("my-topic", {
name: "my-topic",
project: publisherProject,
});
// Create a service account in the subscriber project
const subscriberServiceAccount = new gcp.serviceaccount.Account("subscriber-service-account", {
accountId: "subscriber-service-account",
displayName: "Subscriber Service Account",
project: subscriberProject,
});
// Grant the service account access to the Pub/Sub topic
const topicIamMember = new gcp.pubsub.TopicIAMMember("topic-iam-member", {
topic: topic.name,
role: "roles/pubsub.subscriber",
member: pulumi.interpolate`serviceAccount:${subscriberServiceAccount.email}`,
project: publisherProject,
});
// Export the topic name and service account email
export const topicName = topic.name;
export const serviceAccountEmail = subscriberServiceAccount.email;
Key Points:
- Pub/Sub Topic: Created in the publisher project to serve as the message broker.
- Service Account: Created in the subscriber project to handle access permissions.
- IAM Policy: Grants the service account
roles/pubsub.subscriber
permission on the Pub/Sub topic, enabling cross-project access.
Summary
We successfully set up cross-project access to a Google Cloud Pub/Sub topic using IAM policies. This involved creating a Pub/Sub topic in one project, a service account in another project, and granting the necessary permissions to enable cross-project communication.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.