Pub/Sub authentication

This topic describes authentication information for Pub/Sub.

Supported authentication methods

Pub/Sub supports the following authentication methods.

Service accounts

Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application. For an example of how to set up authentication with a service account, see Pub/Sub client libraries.

For more information about setting up authentication with a production application, see Setting up authentication for server to server production applications.

User accounts

You can authenticate users directly to your application, when the application needs to access resources on behalf of an end user. For most use cases, we recommend using a service account instead.

Examples of why to use user accounts with Pub/Sub include:

  • Administrative actions
  • Note that identity information is captured in audit logs.

If your application uses end user authentication, you need to specify OAuth scopes when making a method call. For more information about the OAuth scopes that you need in order to call a method, see the relevant method in the Pub/Sub reference.

For more information about setting up authentication with user accounts, see Authenticating as an end user.

Access control

When an application calls a Google Cloud API, IAM checks that the caller has an identity with the permissions required to use the resource.

For example, user and service accounts are identities. To make permissions available to a user or service account, grant it at least one IAM role. A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources.

For more information about the roles for Pub/Sub, see Pub/Sub access control.

What's next