How Do I Set Up Cross-Project Pub/Sub Topic Access Using IAM Policies?
Introduction
Cross-project access in Google Cloud allows resources and services from different projects to interact securely and efficiently. In this guide, we will demonstrate how to set up cross-project access to Google Cloud Pub/Sub topics using IAM policies. This setup is essential for scenarios where different teams or departments manage separate projects but need to share data through Pub/Sub messaging.
Steps
Step 1: Create a Pub/Sub Topic in the Publisher Project
Begin by creating a Pub/Sub topic in the project designated as the publisher. This topic will act as the message broker, where messages are published for subscribers to receive.
Step 2: Create a Service Account in the Subscriber Project
Next, create a service account in the subscriber project. This account will be used to authenticate and authorize access to the Pub/Sub topic created in the publisher project.
Step 3: Grant the Service Account Permission to Access the Pub/Sub Topic
Finally, assign the necessary IAM role to the service account to allow it to access the Pub/Sub topic. Specifically, grant the roles/pubsub.subscriber role, which permits the service account to subscribe to the topic and receive messages.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
// Define the projects
const publisherProject = "publisher-project-id";
const subscriberProject = "subscriber-project-id";
// Create a Pub/Sub topic in the publisher project
const topic = new gcp.pubsub.Topic("my-topic", {
name: "my-topic",
project: publisherProject,
});
// Create a service account in the subscriber project
const subscriberServiceAccount = new gcp.serviceaccount.Account("subscriber-service-account", {
accountId: "subscriber-service-account",
displayName: "Subscriber Service Account",
project: subscriberProject,
});
// Grant the service account access to the Pub/Sub topic
const topicIamMember = new gcp.pubsub.TopicIAMMember("topic-iam-member", {
topic: topic.name,
role: "roles/pubsub.subscriber",
member: pulumi.interpolate`serviceAccount:${subscriberServiceAccount.email}`,
project: publisherProject,
});
// Export the topic name and service account email
export const topicName = topic.name;
export const serviceAccountEmail = subscriberServiceAccount.email;
Key Points
- Pub/Sub Topic: Created in the publisher project to serve as the message broker.
- Service Account: Created in the subscriber project to handle access permissions.
- IAM Policy: Grants the service account
roles/pubsub.subscriberpermission on the Pub/Sub topic, enabling cross-project access.
Conclusion
In this guide, we successfully established cross-project access to a Google Cloud Pub/Sub topic using IAM policies. By creating a Pub/Sub topic in one project, a service account in another, and assigning the appropriate permissions, we enabled secure and efficient cross-project communication. This setup is crucial for integrating services and applications across different Google Cloud projects.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.