Score:0

How to setup pubsub with secure IAM policy?

in flag
Jon

I'm trying to setup a bunch of service accounts for another bunch of pubsub topics and subscriptions. What I'm trying to achieve is that each micro service should only be allowed to write to a specific subject, and/or subscribe to a specific subscription. I've currently got:

resource "google_service_account" "my_sa" {
  account_id   = "my-service-account"
  display_name = "A service account for ..."
}

resource "google_project_iam_member" "my_pubsub_iam" {
  project =  var.project
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${google_service_account.my_sa.email}"
}

Which sets up my_sa as a pubsub.publisher and should allow them to publish to any topic.

For subscribers I have:

# setup account like above but with subscriber
resource "google_pubsub_subscription" "crm_sub" {
  name  = "my-subscription"
  topic = var.topic
}

Setting things up like this would allow each server to subscribe to all subscriptions if they are subscribers, and to write to all topics if they are publishers, right?

I've seen the example at https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam and tried to understand that and https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy but I'm struggling a bit.

Should I simply add

data "google_iam_policy" "admin" {
  binding {
    role    = "roles/editor"
    members = [
      "serviceAccount:${google_service_account.my_pubsub_iam.email}",
    ]
  }

}

resource "google_pubsub_topic_iam_policy" "policy" {
  project = google_pubsub_topic.example.project
  topic = google_pubsub_topic.example.name
  policy_data = data.google_iam_policy.admin.policy_data
}

To each service?

I've split them up and some topics have multiple writers, so if the above is the solution, how to handle that? A new editor policy per service, or will that overwrite the policy for the topic?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.