I'm following this tutorial from Codelabs (https://cloud.google.com/channel/docs/codelabs/pubsub).
According to the tutorial, I should create a topic using the Reseller console as a Super Admin with the following endpoint: https://cloudchannel.googleapis.com/v1/{account=accounts/*}:register. However, the tutorial suggests creating a subscription to this topic using a service account via the gcloud CLI with the following command:
gcloud pubsub subscriptions create channel-pubsub-test \
--topic=$TOPIC \
--push-endpoint=$PUSH_ENDPOINT
I have verified that my service account has the "Owner", "Logging Admin", and "Pubsub Editor" (just to test if it was something with roles permissions) roles. Also, using the gcloud auth list I am verifying to be using the service account from previous steps command:
gcloud iam service-accounts keys create sa-keys.json \
--iam-account=$SERVICE_ACCOUNT
gcloud auth activate-service-account --key-file=sa-keys.json
Despite this, when I execute the subscription creation command, I receive the following error: User not authorized to perform this action.
Here are the steps I've taken to troubleshoot so far:
- Checked IAM policy bindings for the service account and ensured it's properly bound at the project level.
- Explicitly specified the project and account in the gcloud command.
- Checked organization policies for any restrictions.
- Reviewed GCP documentation and community forums for similar issues.
I suspect the issue might be related to the discrepancy in permissions between the Super Admin (used to create the topic) and the service account (used to create the subscription).
Is there a way to resolve this permissions issue to successfully create a subscription with the service account as instructed in the tutorial? Any insights or alternative approaches would be greatly appreciated.