pubsub/WARN/2024_001

Pub/Sub Service Account has the Publisher and Subscriber Permissions if DLQ Subscription(s) exist.

Product: Cloud Pub/Sub
Rule class: WARN - Something that is possibly wrong

Description

To forward undeliverable messages to a dead-letter topic, Pub/Sub must have the ‘roles/pubsub.subscriber’ and ‘roles/pubsub.publisher’ permissions enabled on the automatically created Pub/Sub service account.

Remediation

In Pub/Sub, access control can be configured at the project level and at the individual resource level. Pub/Sub creates and maintains a service account for each project: service-{project-number}@gcp-sa-pubsub.iam.gserviceaccount.com. You can grant forwarding permissions by assigning publisher and subscriber roles to this service account.

Project Level: Access control with IAM
Individual resource level: Grant IAM roles to use dead-letter topics to the service account.

pubsub/WARN/2024_001

Description

Remediation

Further information