This document describes the access control options for Pub/Sub Lite. Pub/Sub Lite uses Identity and Access Management for access control.
To give a user or application access to Pub/Sub Lite resources, grant at least one predefined or custom role to the user or the service account that the application uses. The roles include permissions to perform specific actions on Pub/Sub Lite resources.
The following table lists the predefined roles that give you access to Pub/Sub Lite resources:
||Pub/Sub Lite AdminBeta||Full access to Lite topics and Lite subscriptions.||
||Pub/Sub Lite EditorBeta||Modify Lite topics and Lite subscriptions, publish message to Lite topics, and receive messages from Lite subscriptions.||
||Pub/Sub Lite PublisherBeta||Publish messages to Lite topics.||
||Pub/Sub Lite SubscriberBeta||Receive messages from Lite subscriptions.||
||Pub/Sub Lite ViewerBeta||View Lite topics and Lite subscriptions.||
Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like updating Lite topics or deleting Lite subscriptions. To create custom roles, see Creating and managing custom roles.
The following table lists examples of custom roles:
|Create and manage Lite topics.||
|Create and manage Lite subscriptions.||
|Create Lite topics and Lite subscriptions.||
|Modify Lite topics and Lite subscriptions.||
|Delete Lite topics and Lite subscriptions.||
You can grant roles to access Pub/Sub Lite resources at the project level. For example, you can give a service account access to view any Lite topic in a project, but you can't give a service account access to view a single Lite topic.
To grant a role on a project, you can use the Cloud Console or the
gcloud command-line tool.
To grant a role to a user, service account, or other member, follow these steps:
In the Cloud Console, go to the IAM page.
Enter the email address of a user, service account, or other member.
Select a role.
To grant a role to a user, service account, or other member, run the
gcloud projects add-iam-policy-binding
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=MEMBER \ --role=ROLE_ID
Replace the following:
You can also get a JSON or YAML file with the current IAM
policy, add multiple roles or members to the file, and then update the policy.
To read and manage the policy, use the
gcloud command-line tool, the IAM API,
or the IAM. For details, see
Controlling access programmatically.