I have a Pubsub topic say top1 in proj1 with a subscription that already exists, and its fully qualified name is proj1/subscriptions/sub1
I have a service account in a different project proj2 and this account is called sa2. sa2 was granted the following permissions
roles/pubsub.editorroles/pubsub.publisherroles/pubsub.subscriber
I went ahead and created a new subscription on top1 in proj1 using the cli and creds of sa2 and let us call it proj2/subscriptions/sub2.
Everything works fine when I try to use JAVA SDK and consume from proj2/subscriptions/sub2 as top1 in proj1 has this new subscription that I created.
However, I do not in long run want to create a subscription. I want to use an existing subscription in the other project ie proj1/subscriptions/sub1 with sa2. But when I try that with above permissions granted, I am getting a permission denied.
Pasting just a small part of trace
com.google.api.gax.rpc.PermissionDeniedException:
com.google.api.gax.rpc.PermissionDeniedException:
io.grpc.StatusRuntimeException:
PERMISSION_DENIED: User not authorized to perform this action.
gcloudcommands did you use and what was the output? The benefit of stack overflow is not only in answering the question for you but for others and, without detail, it fails the second test.sub2, the command created the correct IAM bindings onproj1for you and you will need to replicate these forsa2. Essentially, the resources are inproj1and so grantingsa2permissions inproj2is incorrect. You want to grantsa2permissions inproj1(where the resources live). You can trygcloud projects get-iam-policy proj1and same-same forproj2and ensure thatsa2has the correct subset of permissions assa1