pubsub/WARN/2024_002

Pub/Sub service account has GCS permissions if GCS subscription(s) exist.

Product: Cloud Pub/Sub
Rule class: WARN - Something that is possibly wrong

Description

For any GCS subscriptions to deliver messages successfully, they should have the appropriate permissions at the project or bucket level.

Remediation

Assign the roles/storage.admin role to the Pub/Sub Service Account to assign GCS Storage Admin Permissions. Alternatively, assign the Pub/Sub Service Account roles/storage.objectCreator and roles/storage.legacyBucketReader roles.

Further information

The full list of permissions available in these roles can be found at the GCS Permissions Doc.