This document describes the access control options for Pub/Sub Lite. Pub/Sub Lite uses Identity and Access Management for access control.
To give a user or application access to Pub/Sub Lite resources, grant at least one predefined or custom role to the user or the service account that the application uses. The roles include permissions to perform specific actions on Pub/Sub Lite resources.
Predefined roles
The following table lists the predefined roles that give you access to Pub/Sub Lite resources:
Role | Title | Description | Permissions | |
---|---|---|---|---|
roles/ |
Pub/Sub Lite Admin | Full access to Lite topics and Lite subscriptions. |
pubsublite.*
|
|
roles/ |
Pub/Sub Lite Editor | Modify Lite topics and Lite subscriptions, publish message to Lite topics, and receive messages from Lite subscriptions. |
pubsublite.*
|
|
roles/ |
Pub/Sub Lite Publisher | Publish messages to Lite topics. |
pubsublite.topics.getPartitions pubsublite.topics.publish pubsublite.locations.openKafkaStream |
|
roles/ |
Pub/Sub Lite Subscriber | Receive messages from Lite subscriptions. |
|
|
roles/ |
Pub/Sub Lite Viewer | View Lite topics and Lite subscriptions. |
|
Custom roles
Custom roles can include any permissions that you specify. You can create custom roles that include permissions to perform specific administrative operations, like updating Lite topics or deleting Lite subscriptions. To create custom roles, see Creating and managing custom roles.
The following table lists examples of custom roles:
Description | Permissions |
---|---|
Create and manage Lite reservations. |
|
Create and manage Lite topics. |
|
Create and manage Lite subscriptions. |
|
Create Lite topics and Lite subscriptions. |
|
Modify Lite topics and Lite subscriptions. |
|
Delete Lite topics and Lite subscriptions. |
|
Granting roles
You can grant roles to access Pub/Sub Lite resources at the project level. For example, you can give a service account access to view any Lite topic in a project, but you can't give a service account access to view a single Lite topic.
To grant a role on a project, you can use the Google Cloud console or the Google Cloud CLI.
Console
To grant a role to a user, service account, or other member, follow these steps:
- In the Google Cloud console, go to the IAM page.
Click Add.
Enter the email address of a user, service account, or other member.
Select a role.
Click Save.
gcloud
To grant a role to a user, service account, or other member, run the
gcloud projects
add-iam-policy-binding
command:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=MEMBER \ --role=ROLE_ID
Replace the following:
- MEMBER: an identifier for the
member, like
serviceAccount:[email protected]
- ROLE_ID: the name of the predefined or custom role
You can also get a JSON or YAML file with the current IAM policy, add multiple roles or members to the file, and then update the policy. To read and manage the policy, use the Google Cloud CLI, the IAM API, or the IAM. For details, see Controlling access programmatically.
What's next
- Get an overview of IAM.
- Refer to the authentication methods that Pub/Sub Lite supports.
- Learn more about managing access to resources.