Guide: GCP Cross project access to PubSub
This guide explains how to setup cross-project access to pub-sub.
Let's consider two users with two different gmail accounts.
User 1: pippo, pippo@gmail.com
He wants to publish messages on a topic pluto-topic owned by pluto
User 2: pluto, pluto@gmail.com
He owns pluto-topic
The steps are the following:
- Creation of a Service Account for *pippo
- Authorization of that Service Account on pluto's project to publish to
pluto-topic
In the first step, pippo's services need a Service Account.
That is done in pippo's GCP console, under it's own project.
Note that that Service Account's json key file, will reference to pippo's project and won't contain any information about pluto's project or topic.
In pluto's GCP console and project, create a new IAM identity with pippo's SA and authorize it to publish messages on pluto's topics.
You can do that by giving the Service Account the role "PubSub Admin"
The most important step: you need to activate pippo's pubsub API on his project.
This because pippo's service, event if it wants to post to pluto's topic, needs to do so through his project and his GCP pubsub APIs!