Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Grant pull subscription permissions for external service account #68

Merged
merged 3 commits into from Apr 7, 2021
Merged

feat: Grant pull subscription permissions for external service account #68

merged 3 commits into from Apr 7, 2021

Conversation

askoriy
Copy link
Contributor

@askoriy askoriy commented Apr 6, 2021

It is useful to grant permissions for the service account that will subscribe to that pull_subscription just after creating it.
Especially if granting access to the service account from another project.

Also as Kafka-connect needs additional roles/pubsub.viewer role for subscribing to the topic, service_account_viewer_role switch is provided.

@comment-bot-dev
Copy link

comment-bot-dev commented Apr 6, 2021
edited

Thanks for the PR! 🚀
✅ Lint checks have passed.

@morgante
Copy link
Contributor

morgante commented Apr 6, 2021

I'm not sure we want to include this in the module directly.

@askoriy
Copy link
Contributor Author

askoriy commented Apr 6, 2021

Yes, it's really not useful for granting permissions inside one project or administration domain.
However, this is the most obvious way to grant permissions for external subscribers because both subscription and IAM configured and managed in one place. At least we need it.

morgante
morgante reviewed Apr 6, 2021
View reviewed changes
README.md Outdated
filter = "attributes.domain = \"com\"" // optional
enable_message_ordering = true // optional
service_account = "service2@project2.iam.gserviceaccount.com" // optional
service_account_viewer_role = true // optional
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we simply always set this? I'm not sure we need the flexibility.

@morgante morgante merged commit 6cd0fc4 into terraform-google-modules:master Apr 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgante morgante morgante approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@askoriy @comment-bot-dev @morgante