Access control

This document describes the access control options for Pub/Sub Lite. Pub/Sub Lite uses Identity and Access Management for access control.

To give a user or application access to Pub/Sub Lite resources, grant at least one predefined or custom role to the user or the service account that the application uses. The roles include permissions to perform specific actions on Pub/Sub Lite resources.

Predefined roles

The following table lists the predefined roles that give you access to Pub/Sub Lite resources:

Role Title Description Permissions
roles/pubsublite.admin Pub/Sub Lite AdminBeta Full access to Lite topics and Lite subscriptions. pubsublite.*
roles/pubsublite.editor Pub/Sub Lite EditorBeta Modify Lite topics and Lite subscriptions, publish message to Lite topics, and receive messages from Lite subscriptions. pubsublite.*
roles/pubsublite.publisher Pub/Sub Lite PublisherBeta Publish messages to Lite topics. pubsublite.topics.publish
roles/pubsublite.subscriber Pub/Sub Lite SubscriberBeta Receive messages from Lite subscriptions.
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.setCursor
  • pubsublite.subscriptions.subscribe
  • pubsublite.topics.getPartitions
  • pubsublite.topics.subscribe
roles/pubsublite.viewer Pub/Sub Lite ViewerBeta View Lite topics and Lite subscriptions.
  • pubsublite.subscriptions.get
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.list
  • pubsublite.topics.get
  • pubsublite.topics.getPartitions
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions

Custom roles

Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like updating Lite topics or deleting Lite subscriptions. To create custom roles, see Creating and managing custom roles.

The following table lists examples of custom roles:

Description Permissions
Create and manage Lite topics.
  • pubsublite.topics.create
  • pubsublite.topics.update
  • pubsublite.topics.get
  • pubsublite.topics.getPartitions
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions
  • pubsublite.topics.delete
Create and manage Lite subscriptions.
  • pubsublite.subscriptions.create
  • pubsublite.topics.subscribe
  • pubsublite.subscriptions.update
  • pubsublite.subscriptions.get
  • pubsublite.subscriptions.list
  • pubsublite.subscriptions.delete
Create Lite topics and Lite subscriptions.
  • pubsublite.topics.create
  • pubsublite.subscriptions.create
  • pubsublite.topics.subscribe
Modify Lite topics and Lite subscriptions.
  • pubsublite.topics.update
  • pubsublite.subscriptions.update
Delete Lite topics and Lite subscriptions.
  • pubsublite.topics.delete
  • pubsublite.subscriptions.delete

Granting roles

You can grant roles to access Pub/Sub Lite resources at the project level. For example, you can give a service account access to view any Lite topic in a project, but you can't give a service account access to view a single Lite topic.

To grant a role on a project, you can use the Cloud Console or the gcloud command-line tool.

Console

To grant a role to a user, service account, or other member, follow these steps:

  1. In the Cloud Console, go to the IAM page.

    Go to IAM

  2. Click Add.

  3. Enter the email address of a user, service account, or other member.

  4. Select a role.

  5. Click Save.

gcloud

To grant a role to a user, service account, or other member, run the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=ROLE_ID

Replace the following:

You can also get a JSON or YAML file with the current IAM policy, add multiple roles or members to the file, and then update the policy. To read and manage the policy, use the gcloud command-line tool, the IAM API, or the IAM. For details, see Controlling access programmatically.

What's next