Fix GCP Pub/Sub Iam Sub Errors
When working with GCP Pub/Sub, you may encounter a configuration error that prevents your data pipeline or messaging system from working. This guide explains the most common mistake with iam sub and shows the exact fix.
A Common Mistake
Granting a user the pubsub.subscriber role on a subscription without the pubsub.viewer role, preventing them from reading messages via the gcloud CLI.
The incorrect command:
gcloud pubsub subscriptions add-iam-policy-binding my-sub --member=user:dev@example.com --role=roles/pubsub.subscriber
Error output:
Subscription IAM updated.
User tries to pull messages:
gcloud pubsub subscriptions pull my-sub
ERROR: User does not have permission to access resource my-sub (or one of its children): Required 'pubsub.subscriptions.consume' permission. You also need pubsub.subscriptions.get for pull operations via CLI.
The Correct Approach
The right way to configure iam sub in GCP Pub/Sub:
gcloud pubsub subscriptions add-iam-policy-binding my-sub --member=user:dev@example.com --role=roles/pubsub.subscriber && gcloud pubsub subscriptions add-iam-policy-binding my-sub --member=user:dev@example.com --role=roles/pubsub.viewer
Successful result:
Subscription IAM updated with both roles.
gcloud pubsub subscriptions pull my-sub
Received 10 messages.
The subscriber role allows message consumption. The viewer role allows describing the subscription (needed by CLI).
How to Prevent This
pubsub.subscriber + pubsub.viewer are needed for CLI access. Application code only needs pubsub.subscriber. Review IAM roles with gcloud pubsub subscriptions get-iam-policy. Use dedicated service accounts for applications. Audit subscriber access regularly.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro