[IAM (Identity and Access Management)](https://cloud.google.com/pubsub/access_control) allows you to set permissions on individual resources and offers a wider range of roles: editor, owner, publisher, subscriber, and viewer. This gives you greater flexibility and allows you to set more fine-grained access control.
For example: * Grant access on a per-topic or per-subscription basis, rather than for the whole Cloud project. * Grant access with limited capabilities, such as to only publish messages to a topic, or to only to consume messages from a subscription, but not to delete the topic or subscription.
*The IAM access control features described in this document are Beta, including the API methods to get and set IAM policies, and to test IAM permissions. Cloud Pub/Sub's use of IAM features is not covered by any SLA or deprecation policy, and may be subject to backward-incompatible changes.*
Package
@google-cloud/pubsubExample
const
{
PubSub
}
=
require
(
' @google-cloud/pubsub
'
);
const
pubsub
=
new
PubSub
();
const
topic
=
pubsub
.
topic
(
'my-topic'
);
// topic.iam
const
subscription
=
pubsub
.
subscription
(
'my-subscription'
);
// subscription.iam
Constructors
(constructor)(pubsub, nameOrNameable)
constructor
(
pubsub
:
PubSub
,
nameOrNameable
:
Nameable
|
string
);
Constructs a new instance of the IAM
class
Properties
id
get
id
()
:
string
;
pubsub
pubsub
:
PubSub
;
request
request
:
typeof
PubSub
.
prototype
.
request
;
Methods
getPolicy(gaxOpts)
getPolicy
(
gaxOpts
?:
CallOptions
)
:
Promise<GetPolicyResponse>
;
Get the IAM policy
gaxOpts
CallOptions
const
{
PubSub
}
=
require
(
' @google-cloud/pubsub
'
);
const
pubsub
=
new
PubSub
();
const
topic
=
pubsub
.
topic
(
'my-topic'
);
const
subscription
=
topic
.
subscription
(
'my-subscription'
);
topic
.
iam
.
getPolicy
(
function
(
err
,
policy
,
apiResponse
)
{});
subscription
.
iam
.
getPolicy
(
function
(
err
,
policy
,
apiResponse
)
{});
//-
// If the callback is omitted, we'll return a Promise.
//-
topic
.
iam
.
getPolicy
().
then
(
function
(
data
)
{
const
policy
=
data
[
0
];
const
apiResponse
=
data
[
1
];
});
getPolicy(callback)
getPolicy
(
callback
:
GetPolicyCallback
)
:
void
;
void
getPolicy(gaxOpts, callback)
getPolicy
(
gaxOpts
:
CallOptions
,
callback
:
GetPolicyCallback
)
:
void
;
void
setPolicy(policy, gaxOpts)
setPolicy
(
policy
:
Policy
,
gaxOpts
?:
CallOptions
)
:
Promise<SetPolicyResponse>
;
Set the IAM policy
policy
gaxOpts
CallOptions
const
{
PubSub
}
=
require
(
' @google-cloud/pubsub
'
);
const
pubsub
=
new
PubSub
();
const
topic
=
pubsub
.
topic
(
'my-topic'
);
const
subscription
=
topic
.
subscription
(
'my-subscription'
);
const
myPolicy
=
{
bindings
:
[
{
role
:
'roles/pubsub.subscriber'
,
members
:
[
'serviceAccount:myotherproject@appspot.gserviceaccount.com'
]
}
]
};
topic
.
iam
.
setPolicy
(
myPolicy
,
function
(
err
,
policy
,
apiResponse
)
{});
subscription
.
iam
.
setPolicy
(
myPolicy
,
function
(
err
,
policy
,
apiResponse
)
{});
//-
// If the callback is omitted, we'll return a Promise.
//-
topic
.
iam
.
setPolicy
(
myPolicy
).
then
(
function
(
data
)
{
const
policy
=
data
[
0
];
const
apiResponse
=
data
[
1
];
});
setPolicy(policy, gaxOpts, callback)
setPolicy
(
policy
:
Policy
,
gaxOpts
:
CallOptions
,
callback
:
SetPolicyCallback
)
:
void
;
void
setPolicy(policy, callback)
setPolicy
(
policy
:
Policy
,
callback
:
SetPolicyCallback
)
:
void
;
void
testPermissions(permissions, gaxOpts)
testPermissions
(
permissions
:
string
|
string
[],
gaxOpts
?:
CallOptions
)
:
Promise<TestIamPermissionsResponse>
;
Test a set of permissions for a resource.
Permissions with wildcards such as *
or storage.*
are not allowed.
permissions
string | string[]
The permission(s) to test for.
gaxOpts
CallOptions
const
{
PubSub
}
=
require
(
' @google-cloud/pubsub
'
);
const
pubsub
=
new
PubSub
();
const
topic
=
pubsub
.
topic
(
'my-topic'
);
const
subscription
=
topic
.
subscription
(
'my-subscription'
);
//-
// Test a single permission.
//-
const
test
=
'pubsub.topics.update'
;
topic
.
iam
.
testPermissions
(
test
,
function
(
err
,
permissions
,
apiResponse
)
{
console
.
log
(
permissions
);
// {
// "pubsub.topics.update": true
// }
});
//-
// Test several permissions at once.
//-
const
tests
=
[
'pubsub.subscriptions.consume'
,
'pubsub.subscriptions.update'
];
subscription
.
iam
.
testPermissions
(
tests
,
function
(
err
,
permissions
)
{
console
.
log
(
permissions
);
// {
// "pubsub.subscriptions.consume": true,
// "pubsub.subscriptions.update": false
// }
});
//-
// If the callback is omitted, we'll return a Promise.
//-
topic
.
iam
.
testPermissions
(
test
).
then
(
function
(
data
)
{
const
permissions
=
data
[
0
];
const
apiResponse
=
data
[
1
];
});
testPermissions(permissions, gaxOpts, callback)
testPermissions
(
permissions
:
string
|
string
[],
gaxOpts
:
CallOptions
,
callback
:
TestIamPermissionsCallback
)
:
void
;
permissions
string | string[]
gaxOpts
CallOptions
callback
void
testPermissions(permissions, callback)
testPermissions
(
permissions
:
string
|
string
[],
callback
:
TestIamPermissionsCallback
)
:
void
;
void
