1. Answers
  2. Setting up cross-project Pub/Sub topic access using IAM policies

How do I set up cross-project Pub/Sub topic access using IAM policies?

In this guide, we will set up cross-project access to Google Cloud Pub/Sub topics using IAM policies. This involves creating a Pub/Sub topic in one project and granting access to a service account from another project.

Steps:

  1. Create a Pub/Sub topic in the publisher project.
  2. Create a service account in the subscriber project.
  3. Grant the service account permission to access the Pub/Sub topic.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Define the projects
const publisherProject = "publisher-project-id";
const subscriberProject = "subscriber-project-id";

// Create a Pub/Sub topic in the publisher project
const topic = new gcp.pubsub.Topic("my-topic", {
    name: "my-topic",
    project: publisherProject,
});

// Create a service account in the subscriber project
const subscriberServiceAccount = new gcp.serviceaccount.Account("subscriber-service-account", {
    accountId: "subscriber-service-account",
    displayName: "Subscriber Service Account",
    project: subscriberProject,
});

// Grant the service account access to the Pub/Sub topic
const topicIamMember = new gcp.pubsub.TopicIAMMember("topic-iam-member", {
    topic: topic.name,
    role: "roles/pubsub.subscriber",
    member: pulumi.interpolate`serviceAccount:${subscriberServiceAccount.email}`,
    project: publisherProject,
});

// Export the topic name and service account email
export const topicName = topic.name;
export const serviceAccountEmail = subscriberServiceAccount.email;

Key Points:

  • Pub/Sub Topic: Created in the publisher project to serve as the message broker.
  • Service Account: Created in the subscriber project to handle access permissions.
  • IAM Policy: Grants the service account roles/pubsub.subscriber permission on the Pub/Sub topic, enabling cross-project access.

Summary

We successfully set up cross-project access to a Google Cloud Pub/Sub topic using IAM policies. This involved creating a Pub/Sub topic in one project, a service account in another project, and granting the necessary permissions to enable cross-project communication.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up