What is the role required to add an IAM policy binding to a Google Pub/Sub topic?
Question
I'm trying to follow these instructions, https://cloud.google.com/pubsub/docs/dead-letter-topics#assigning_the_publisher_role , to grant Pub/Sub permission to publish messages to a dead-letter queue, but I'm encountering a PERMISSION_DENIED error:
gcloud pubsub topics add-iam-policy-binding my-dead-letter-topic --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT" --role="roles/pubsub.publisher"
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) PERMISSION_DENIED: User not authorized to perform this action.
Helpfully, the Google Cloud console shows that I need the pubsub.topics.setIamPolicy permission:
My question is: how would I go about acquiring that permission? Would I have to be a project IAM admin (cf. You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy )?
1 answers
solution1
2 ACCPTED 2020-07-30 19:38:25
Yes, exactly. You'll need to be assigned one of the roles that contains the resourcemanager.projects.setIamPolicy permission. As you pointed out, the answer to You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy outlines the different role options.
Project IAM Admin is recommended because it's the most specific role you can be granted to be able to set the IAM policy.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.