Set topic policy

Sets a topic IAM policy.

Explore further

For detailed documentation that includes this code sample, see the following:

Access control with Identity and Access Management

Code sample

C++

Before trying this sample, follow the C++ setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub C++ API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  namespace 
  
 iam 
  
 = 
  
 google 
 :: 
 cloud 
 :: 
 iam 
 ; 
 namespace 
  
 pubsub 
  
 = 
  
 google 
 :: 
 cloud 
 :: 
 pubsub 
 ; 
 using 
  
 google 
 :: 
 cloud 
 :: 
 StatusCode 
 ; 
 []( 
 std 
 :: 
 string 
  
 project_id 
 , 
  
 std 
 :: 
 string 
  
 topic_id 
 ) 
  
 { 
  
 auto 
  
 const 
  
 topic 
  
 = 
  
 pubsub 
 :: 
 Topic 
 ( 
 std 
 :: 
 move 
 ( 
 project_id 
 ), 
  
 std 
 :: 
 move 
 ( 
 topic_id 
 )); 
  
 auto 
  
 client 
  
 = 
  
 iam 
 :: 
 IAMPolicyClient 
 ( 
  
 iam 
 :: 
 MakeIAMPolicyConnection 
 ( 
 pubsub 
 :: 
 IAMPolicyOptions 
 ())); 
  
 // In production code, consider an OCC loop to handle concurrent changes 
  
 // to the policy. 
  
 google 
 :: 
 iam 
 :: 
 v1 
 :: 
 GetIamPolicyRequest 
  
 get 
 ; 
  
 get 
 . 
 set_resource 
 ( 
 topic 
 . 
 FullName 
 ()); 
  
 auto 
  
 policy 
  
 = 
  
 client 
 . 
 GetIamPolicy 
 ( 
 get 
 ); 
  
 if 
  
 ( 
 ! 
 policy 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 policy 
 ). 
 status 
 (); 
  
 google 
 :: 
 iam 
 :: 
 v1 
 :: 
 SetIamPolicyRequest 
  
 set 
 ; 
  
 set 
 . 
 set_resource 
 ( 
 topic 
 . 
 FullName 
 ()); 
  
 * 
 set 
 . 
 mutable_policy 
 () 
  
 = 
  
 * 
 std 
 :: 
 move 
 ( 
 policy 
 ); 
  
 // Add all users as viewers. 
  
 auto 
&  
 b0 
  
 = 
  
 * 
 set 
 . 
 mutable_policy 
 () 
 - 
> add_bindings 
 (); 
  
 b0 
 . 
 set_role 
 ( 
 "roles/pubsub.viewer" 
 ); 
  
 b0 
 . 
 add_members 
 ( 
 "domain:google.com" 
 ); 
  
 // Add a group as an editor. 
  
 auto 
&  
 b1 
  
 = 
  
 * 
 set 
 . 
 mutable_policy 
 () 
 - 
> add_bindings 
 (); 
  
 b1 
 . 
 set_role 
 ( 
 "roles/pubsub.publisher" 
 ); 
  
 b1 
 . 
 add_members 
 ( 
 "group:cloud-logs@google.com" 
 ); 
  
 auto 
  
 response 
  
 = 
  
 client 
 . 
 SetIamPolicy 
 ( 
 set 
 ); 
  
 if 
  
 ( 
 ! 
 response 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 response 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "Policy for topic " 
 << 
 topic 
 . 
 FullName 
 () 
 << 
 ": " 
 << 
 response 
 - 
> DebugString 
 () 
 << 
 " 
 \n 
 " 
 ; 
 }

C#

Before trying this sample, follow the C# setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub C# API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  using 
  
  Google.Cloud.Iam.V1 
 
 ; 
 using 
  
  Google.Cloud.PubSub.V1 
 
 ; 
 public 
  
 class 
  
 SetTopicIamPolicySample 
 { 
  
 public 
  
 Policy 
  
 SetTopicIamPolicy 
 ( 
 string 
  
 projectId 
 , 
  
 string 
  
 topicId 
 , 
  
 string 
  
 role 
 , 
  
 string 
  
 member 
 ) 
  
 { 
  
  PublisherServiceApiClient 
 
  
 publisher 
  
 = 
  
  PublisherServiceApiClient 
 
 . 
  Create 
 
 (); 
  
 string 
  
 roleToBeAddedToPolicy 
  
 = 
  
 $"roles/{role}" 
 ; 
  
  Policy 
 
  
 policy 
  
 = 
  
 new 
  
  Policy 
 
  
 { 
  
 Bindings 
  
 = 
  
 { 
  
 new 
  
  Binding 
 
  
 { 
  
 Role 
  
 = 
  
 roleToBeAddedToPolicy 
 , 
  
 Members 
  
 = 
  
 { 
  
 member 
  
 } 
  
 } 
  
 } 
  
 }; 
  
  SetIamPolicyRequest 
 
  
 request 
  
 = 
  
 new 
  
  SetIamPolicyRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
  TopicName 
 
 . 
  FromProjectTopic 
 
 ( 
 projectId 
 , 
  
 topicId 
 ), 
  
 Policy 
  
 = 
  
 policy 
  
 }; 
  
  Policy 
 
  
 response 
  
 = 
  
 publisher 
 . 
  IAMPolicyClient 
 
 . 
 SetIamPolicy 
 ( 
 request 
 ); 
  
 return 
  
 response 
 ; 
  
 } 
 }

Go

Before trying this sample, follow the Go setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Go API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "cloud.google.com/go/iam/apiv1/iampb" 
  
 "cloud.google.com/go/pubsub/v2" 
 ) 
 func 
  
 addUsersToTopic 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 topicID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // projectID := "my-project-id" 
  
 // topicID := "my-topic" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 pubsub 
 . 
 NewClient 
 ( 
 ctx 
 , 
  
 projectID 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "pubsub.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 topicName 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/topics/%s" 
 , 
  
 projectID 
 , 
  
 topicID 
 ) 
  
 req 
  
 := 
  
& iampb 
 . 
  GetIamPolicyRequest 
 
 { 
  
 Resource 
 : 
  
 topicName 
 , 
  
 } 
  
 policy 
 , 
  
 err 
  
 := 
  
 client 
 . 
 TopicAdminClient 
 . 
  GetIamPolicy 
 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "error calling GetIamPolicy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 b 
  
 := 
  
& iampb 
 . 
  Binding 
 
 { 
  
 Role 
 : 
  
 "roles/editor" 
 , 
  
 // Other valid prefixes are "serviceAccount:", "user:" 
  
 // See the documentation for more values. 
  
 Members 
 : 
  
 [] 
 string 
 { 
 "group:cloud-logs@google.com" 
 }, 
  
 } 
  
 policy 
 . 
 Bindings 
  
 = 
  
 append 
 ( 
 policy 
 . 
 Bindings 
 , 
  
 b 
 ) 
  
 setRequest 
  
 := 
  
& iampb 
 . 
  SetIamPolicyRequest 
 
 { 
  
 Resource 
 : 
  
 topicName 
 , 
  
 Policy 
 : 
  
 policy 
 , 
  
 } 
  
 _ 
 , 
  
 err 
  
 = 
  
 client 
 . 
 TopicAdminClient 
 . 
  SetIamPolicy 
 
 ( 
 ctx 
 , 
  
 setRequest 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "error calling SetIamPolicy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintln 
 ( 
 w 
 , 
  
 "Added roles to topic." 
 ) 
  
 return 
  
 nil 
 }

Java

Before trying this sample, follow the Java setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Java API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 com.google.cloud.pubsub.v1. TopicAdminClient 
 
 ; 
 import 
  
 com.google.iam.v1. Binding 
 
 ; 
 import 
  
 com.google.iam.v1. GetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.iam.v1. Policy 
 
 ; 
 import 
  
 com.google.iam.v1. SetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.pubsub.v1. TopicName 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 SetTopicPolicyExample 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 ... 
  
 args 
 ) 
  
 throws 
  
 Exception 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 topicId 
  
 = 
  
 "your-topic-id" 
 ; 
  
 setTopicPolicyExample 
 ( 
 projectId 
 , 
  
 topicId 
 ); 
  
 } 
  
 public 
  
 static 
  
 void 
  
 setTopicPolicyExample 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 topicId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 try 
  
 ( 
  TopicAdminClient 
 
  
 topicAdminClient 
  
 = 
  
  TopicAdminClient 
 
 . 
 create 
 ()) 
  
 { 
  
  TopicName 
 
  
 topicName 
  
 = 
  
  TopicName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 topicId 
 ); 
  
  GetIamPolicyRequest 
 
  
 getIamPolicyRequest 
  
 = 
  
  GetIamPolicyRequest 
 
 . 
 newBuilder 
 (). 
 setResource 
 ( 
 topicName 
 . 
  toString 
 
 ()). 
 build 
 (); 
  
  Policy 
 
  
 oldPolicy 
  
 = 
  
 topicAdminClient 
 . 
 getIamPolicy 
 ( 
 getIamPolicyRequest 
 ); 
  
 // Create new role -> members binding 
  
  Binding 
 
  
 binding 
  
 = 
  
  Binding 
 
 . 
 newBuilder 
 () 
  
 . 
 setRole 
 ( 
 "roles/pubsub.editor" 
 ) 
  
 . 
  addMembers 
 
 ( 
 "domain:google.com" 
 ) 
  
 . 
 build 
 (); 
  
 // Add new binding to updated policy 
  
  Policy 
 
  
 updatedPolicy 
  
 = 
  
  Policy 
 
 . 
 newBuilder 
 ( 
 oldPolicy 
 ). 
  addBindings 
 
 ( 
 binding 
 ). 
 build 
 (); 
  
  SetIamPolicyRequest 
 
  
 setIamPolicyRequest 
  
 = 
  
  SetIamPolicyRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 topicName 
 . 
  toString 
 
 ()) 
  
 . 
  setPolicy 
 
 ( 
 updatedPolicy 
 ) 
  
 . 
 build 
 (); 
  
  Policy 
 
  
 newPolicy 
  
 = 
  
 topicAdminClient 
 . 
 setIamPolicy 
 ( 
 setIamPolicyRequest 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "New topic policy: " 
  
 + 
  
 newPolicy 
 ); 
  
 } 
  
 } 
 }

Node.js

Before trying this sample, follow the Node.js setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Node.js API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  /** 
 * TODO(developer): Uncomment this variable before running the sample. 
 */ 
 // 
  
 const 
  
 topicNameOrId 
  
 = 
  
 'YOUR_TOPIC_NAME_OR_ID' 
 ; 
 // 
  
 Imports 
  
 the 
  
 Google 
  
 Cloud 
  
 client 
  
 library 
 const 
  
 { 
 PubSub 
 } 
  
 = 
  
 require 
 ( 
 '@google-cloud/pubsub' 
 ); 
 // 
  
 Creates 
  
 a 
  
 client 
 ; 
  
 cache 
  
 this 
  
 for 
  
 further 
  
 use 
 const 
  
 pubSubClient 
  
 = 
  
 new 
  
 PubSub 
 (); 
 async 
  
 function 
  
 setTopicPolicy 
 ( 
 topicNameOrId 
 ) 
  
 { 
  
 // 
  
 The 
  
 new 
  
 IAM 
  
 policy 
  
 const 
  
 newPolicy 
  
 = 
  
 { 
  
 bindings 
 : 
  
 [ 
 { 
 // Add a group as editors 
 role: 'roles/pubsub.editor', 
 members: ['group:cloud-logs@google.com' 
 ] 
 , 
  
 } 
 , 
  
 { 
  
 // 
  
 Add 
  
 all 
  
 users 
  
 as 
  
 viewers 
  
 role 
 : 
  
 'roles/pubsub.viewer' 
 , 
  
 members 
 : 
  
 [ 
 'allUsers' 
 ] 
 , 
  
 } 
 , 
  
 ] 
 , 
  
 } 
 ; 
  
 // 
  
 Updates 
  
 the 
  
 IAM 
  
 policy 
  
 for 
  
 the 
  
 topic 
  
 const 
  
 [ 
 updatedPolicy 
 ] 
  
 = 
  
 await 
  
 pubSubClient 
  
 . 
 topic 
 ( 
 topicNameOrId 
 ) 
  
 . 
 iam 
 . 
 setPolicy 
 ( 
 newPolicy 
 ); 
  
 console 
 . 
 log 
 ( 
 'Updated policy for topic: %j' 
 , 
  
 updatedPolicy 
 . 
 bindings 
 ); 
 }

Node.js

Before trying this sample, follow the Node.js setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Node.js API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  /** 
 * 
 TODO 
 ( 
 developer 
 ): 
 Uncomment 
 this 
 variable 
 before 
 running 
 the 
 sample 
 . 
 */ 
 // 
 const 
 topicNameOrId 
 = 
 'YOUR_TOPIC_NAME_OR_ID' 
 ; 
 // 
 Imports 
 the 
 Google 
 Cloud 
 client 
 library 
 import 
  
 { 
 PubSub 
 , 
 Policy 
 } 
 from 
  
 '@google-cloud/pubsub' 
 ; 
 // 
 Creates 
 a 
 client 
 ; 
 cache 
 this 
 for 
 further 
 use 
 const 
 pubSubClient 
 = 
 new 
 PubSub 
 (); 
 async 
 function 
 setTopicPolicy 
 ( 
 topicNameOrId 
 : 
 string 
 ) 
 { 
 // 
 The 
 new 
 IAM 
 policy 
 const 
 newPolicy 
 : 
 Policy 
 = 
 { 
 bindings 
 : 
 [ 
 { 
 // 
 Add 
 a 
 group 
 as 
 editors 
 role 
 : 
 'roles/pubsub.editor' 
 , 
 members 
 : 
 [ 
 'group:cloud-logs@google.com' 
 ], 
 }, 
 { 
 // 
 Add 
 all 
 users 
 as 
 viewers 
 role 
 : 
 'roles/pubsub.viewer' 
 , 
 members 
 : 
 [ 
 'allUsers' 
 ], 
 }, 
 ], 
 }; 
 // 
 Updates 
 the 
 IAM 
 policy 
 for 
 the 
 topic 
 const 
 [ 
 updatedPolicy 
 ] 
 = 
 await 
 pubSubClient 
 . 
 topic 
 ( 
 topicNameOrId 
 ) 
 . 
 iam 
 . 
 setPolicy 
 ( 
 newPolicy 
 ); 
 console 
 . 
 log 
 ( 
 'Updated policy for topic: %j' 
 , 
 updatedPolicy 
 . 
 bindings 
 ); 
 }

PHP

Before trying this sample, follow the PHP setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub PHP API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  use Google\Cloud\PubSub\PubSubClient; 
 /** 
 * Adds a user to the policy for a Pub/Sub topic. 
 * 
 * @param string $projectId  The Google project ID. 
 * @param string $topicName  The Pub/Sub topic name. 
 * @param string $userEmail  The user email to add to the policy. 
 */ 
 function set_topic_policy($projectId, $topicName, $userEmail) 
 { 
 $pubsub = new PubSubClient([ 
 'projectId' => $projectId, 
 ]); 
 $topic = $pubsub->topic($topicName); 
 $policy = $topic->iam()->policy(); 
 $policy['bindings'][] = [ 
 'role' => 'roles/pubsub.publisher', 
 'members' => ['user:' . $userEmail] 
 ]; 
 $topic->iam()->setPolicy($policy); 
 printf( 
 'User %s added to policy for %s' . PHP_EOL, 
 $userEmail, 
 $topicName 
 ); 
 }

Python

Before trying this sample, follow the Python setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Python API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  from 
  
 google.cloud 
  
 import 
 pubsub_v1 
 # TODO(developer): Choose an existing topic. 
 # project_id = "your-project-id" 
 # topic_id = "your-topic-id" 
 client 
 = 
 pubsub_v1 
 . 
  PublisherClient 
 
 () 
 topic_path 
 = 
 client 
 . 
 topic_path 
 ( 
 project_id 
 , 
 topic_id 
 ) 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 topic_path 
 }) 
 # Add all users as viewers. 
 policy 
 . 
 bindings 
 . 
 add 
 ( 
 role 
 = 
 "roles/pubsub.viewer" 
 , 
 members 
 = 
 [ 
 "domain:google.com" 
 ]) 
 # Add a group as a publisher. 
 policy 
 . 
 bindings 
 . 
 add 
 ( 
 role 
 = 
 "roles/pubsub.publisher" 
 , 
 members 
 = 
 [ 
 "group:cloud-logs@google.com" 
 ] 
 ) 
 # Set the policy 
 policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 topic_path 
 , 
 "policy" 
 : 
 policy 
 }) 
 print 
 ( 
 "IAM policy for topic 
 {} 
 set: 
 {} 
 " 
 . 
 format 
 ( 
 topic_id 
 , 
 policy 
 ))

Ruby

Before trying this sample, follow the Ruby setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Ruby API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  # topic_id              = "your-topic-id" 
 # role                  = "roles/pubsub.publisher" 
 # service_account_email = 
 # "serviceAccount:account_name@project_name.iam.gserviceaccount.com" 
 pubsub 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  PubSub 
 
 . 
  new 
 
 bindings 
  
 = 
  
 Google 
 :: 
 Iam 
 :: 
  V1 
 
 :: 
 Binding 
 . 
  new 
 
  
 \ 
  
 role 
 : 
  
 role 
 , 
  
 members 
 : 
  
 [ 
 service_account_email 
 ] 
 pubsub 
 . 
  iam 
 
 . 
 set_iam_policy 
  
 resource 
 : 
  
 pubsub 
 . 
 topic_path 
 ( 
 topic_id 
 ), 
  
 policy 
 : 
  
 { 
  
 bindings 
 : 
  
 [ 
 bindings 
 ] 
  
 }

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .

Set topic policy Stay organized with collections Save and categorize content based on your preferences.

Explore further

Code sample

C++

C#

Go

Java

Node.js

Node.js

PHP

Python

Ruby

What's next

Set topic policy