IAM

class

IAM (Identity and Access Management) allows you to set permissions on invidual resources and offers a wider range of roles: editor, owner, publisher, subscriber, and viewer. This gives you greater flexibility and allows you to set more fine-grained access control.

For example:

  • Grant access on a per-topic or per-subscription basis, rather than for the whole Cloud project.
  • Grant access with limited capabilities, such as to only publish messages to a topic, or to only to consume messages from a subscription, but not to delete the topic or subscription.

The IAM access control features described in this document are Beta, including the API methods to get and set IAM policies, and to test IAM permissions. Cloud Pub/Sub's use of IAM features is not covered by any SLA or deprecation policy, and may be subject to backward-incompatible changes.

Constructor

IAM

new IAM(pubsub, id)

Parameter

pubsub

PubSub

PubSub Object.

id

string

The name of the topic or subscription.
See also

Access Control Overview

What is Cloud IAM?

Example 

const {PubSub} = require('@google-cloud/pubsub');
const pubsub = new PubSub();

const topic = pubsub.topic('my-topic');
// topic.iam

const subscription = pubsub.subscription('my-subscription');
// subscription.iam

Methods

getPolicy

getPolicy(gaxOptions, callback) returns Promise containing GetPolicyResponse

Get the IAM policy

Parameter

gaxOptions

Optional

object

Request configuration options, outlined here: https://googleapis.github.io/gax-nodejs/CallSettings.html.

callback

Optional

GetPolicyCallback

Callback function.
See also

Topics: getIamPolicy API Documentation

Subscriptions: getIamPolicy API Documentation

Returns

Promise containing GetPolicyResponse 

Example 

const {PubSub} = require('@google-cloud/pubsub');
const pubsub = new PubSub();

const topic = pubsub.topic('my-topic');
const subscription = topic.subscription('my-subscription');

topic.iam.getPolicy(function(err, policy, apiResponse) {});

subscription.iam.getPolicy(function(err, policy, apiResponse) {});

//-
// If the callback is omitted, we'll return a Promise.
//-
topic.iam.getPolicy().then(function(data) {
  const policy = data[0];
  const apiResponse = data[1];
});

setPolicy

setPolicy(policy, gaxOptions, callback) returns Promise containing SetPolicyResponse

Set the IAM policy

Parameter

policy

object

The policy.

Values in policy have the following properties:

Parameter

bindings

Optional

array

Bindings associate members with roles.

rules

Optional

Array of object

Rules to be applied to the policy.

etag

Optional

string

Etags are used to perform a read-modify-write.

gaxOptions

Optional

object

Request configuration options, outlined here: https://googleapis.github.io/gax-nodejs/CallSettings.html.

callback

SetPolicyCallback

Callback function.
See also

Topics: setIamPolicy API Documentation

Subscriptions: setIamPolicy API Documentation

Policy

Throws

Error 

If no policy is provided.

Returns

Promise containing SetPolicyResponse 

Example 

const {PubSub} = require('@google-cloud/pubsub');
const pubsub = new PubSub();

const topic = pubsub.topic('my-topic');
const subscription = topic.subscription('my-subscription');

const myPolicy = {
  bindings: [
    {
      role: 'roles/pubsub.subscriber',
      members:
['serviceAccount:myotherproject@appspot.gserviceaccount.com']
    }
  ]
};

topic.iam.setPolicy(myPolicy, function(err, policy, apiResponse) {});

subscription.iam.setPolicy(myPolicy, function(err, policy, apiResponse)
{});

//-
// If the callback is omitted, we'll return a Promise.
//-
topic.iam.setPolicy(myPolicy).then(function(data) {
  const policy = data[0];
  const apiResponse = data[1];
});

testPermissions

testPermissions(permissions, gaxOptions, callback) returns Promise containing TestIamPermissionsResponse

Test a set of permissions for a resource.

Permissions with wildcards such as or storage. are not allowed.

Parameter

permissions

(string or Array of string)

The permission(s) to test for.

gaxOptions

Optional

object

Request configuration options, outlined here: https://googleapis.github.io/gax-nodejs/CallSettings.html.

callback

Optional

TestIamPermissionsCallback

Callback function.
See also

Topics: testIamPermissions API Documentation

Subscriptions: testIamPermissions API Documentation

Permissions Reference

Throws

Error 

If permissions are not provided.

Returns

Promise containing TestIamPermissionsResponse 

Example 

const {PubSub} = require('@google-cloud/pubsub');
const pubsub = new PubSub();

const topic = pubsub.topic('my-topic');
const subscription = topic.subscription('my-subscription');

//-
// Test a single permission.
//-
const test = 'pubsub.topics.update';

topic.iam.testPermissions(test, function(err, permissions, apiResponse) {
  console.log(permissions);
  // {
  //   "pubsub.topics.update": true
  // }
});

//-
// Test several permissions at once.
//-
const tests = [
  'pubsub.subscriptions.consume',
  'pubsub.subscriptions.update'
];

subscription.iam.testPermissions(tests, function(err, permissions) {
  console.log(permissions);
  // {
  //   "pubsub.subscriptions.consume": true,
  //   "pubsub.subscriptions.update": false
  // }
});

//-
// If the callback is omitted, we'll return a Promise.
//-
topic.iam.testPermissions(test).then(function(data) {
  const permissions = data[0];
  const apiResponse = data[1];
});