I want to achieve that an extra created service-account is only possible to subscribe to a certain pubsub-subscription.
And also, when one uses this service-account for listing all subscriptions, it should also see only the "dedicated" subscription.
I've created on the subscription a permission which have to test the Pub/Sub Admin role
Then I check the listing with
from google.oauth2 import service_account
from google.cloud import pubsub_v1
project_id = "project101"
credentials = service_account.Credentials.from_service_account_file(
'./myServiceAccount.json')
project_path = f"projects/{project_id}"
with pubsub_v1.SubscriberClient(credentials=credentials) as subscriber:
for subscription in subscriber.list_subscriptions(
request={"project": project_path}
):
print(subscription.name)
but it results in a 403.
As you see I need this for splunk, but I don't want to open too much.
To list Pub/Sub subscriptions requires the permission projects.subscriptions.list
.
That permission must be granted at the Project level or a higher resource. The principal with that permission will be able to list all subscriptions. You cannot limit them to a select few.
You can review the available permissions and where they can be applied here: