Test permissions for subscription

Tests IAM permissions for a subscription.

Explore further

For detailed documentation that includes this code sample, see the following:

Access control with Identity and Access Management

Code sample

C++

Before trying this sample, follow the C++ setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub C++ API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  namespace 
  
 iam 
  
 = 
  
 google 
 :: 
 cloud 
 :: 
 iam_v1 
 ; 
 namespace 
  
 pubsub 
  
 = 
  
 google 
 :: 
 cloud 
 :: 
 pubsub 
 ; 
 []( 
 std 
 :: 
 string 
  
 project_id 
 , 
  
 std 
 :: 
 string 
  
 subscription_id 
 ) 
  
 { 
  
 auto 
  
 const 
  
 subscription 
  
 = 
  
 pubsub 
 :: 
 Subscription 
 ( 
 std 
 :: 
 move 
 ( 
 project_id 
 ), 
  
 std 
 :: 
 move 
 ( 
 subscription_id 
 )); 
  
 auto 
  
 client 
  
 = 
  
 iam 
 :: 
 IAMPolicyClient 
 ( 
  
 iam 
 :: 
 MakeIAMPolicyConnection 
 ( 
 pubsub 
 :: 
 IAMPolicyOptions 
 ())); 
  
 google 
 :: 
 iam 
 :: 
 v1 
 :: 
 TestIamPermissionsRequest 
  
 request 
 ; 
  
 request 
 . 
 set_resource 
 ( 
 subscription 
 . 
 FullName 
 ()); 
  
 request 
 . 
 add_permissions 
 ( 
 "pubsub.subscriptions.consume" 
 ); 
  
 request 
 . 
 add_permissions 
 ( 
 "pubsub.subscriptions.update" 
 ); 
  
 auto 
  
 response 
  
 = 
  
 client 
 . 
 TestIamPermissions 
 ( 
 request 
 ); 
  
 if 
  
 ( 
 ! 
 response 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 response 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "Allowed permissions for subscription " 
 << 
 subscription 
 . 
 FullName 
 () 
 << 
 ":" 
 ; 
  
 for 
  
 ( 
 auto 
  
 const 
&  
 permission 
  
 : 
  
 response 
 - 
> permissions 
 ()) 
  
 { 
  
 std 
 :: 
 cout 
 << 
 " " 
 << 
 permission 
 ; 
  
 } 
  
 std 
 :: 
 cout 
 << 
 " 
 \n 
 " 
 ; 
 }

C#

Before trying this sample, follow the C# setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub C# API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  using 
  
  Google.Cloud.Iam.V1 
 
 ; 
 using 
  
  Google.Cloud.PubSub.V1 
 
 ; 
 public 
  
 class 
  
 TestSubscriptionIamPermissionsSample 
 { 
  
 public 
  
 TestIamPermissionsResponse 
  
 TestSubscriptionIamPermissionsResponse 
 ( 
 string 
  
 projectId 
 , 
  
 string 
  
 subscriptionId 
 ) 
  
 { 
  
  TestIamPermissionsRequest 
 
  
 request 
  
 = 
  
 new 
  
  TestIamPermissionsRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
  SubscriptionName 
 
 . 
  FromProjectSubscription 
 
 ( 
 projectId 
 , 
  
 subscriptionId 
 ), 
  
 Permissions 
  
 = 
  
 { 
  
 "pubsub.subscriptions.get" 
 , 
  
 "pubsub.subscriptions.update" 
  
 } 
  
 }; 
  
  PublisherServiceApiClient 
 
  
 publisher 
  
 = 
  
  PublisherServiceApiClient 
 
 . 
  Create 
 
 (); 
  
  TestIamPermissionsResponse 
 
  
 response 
  
 = 
  
 publisher 
 . 
  IAMPolicyClient 
 
 . 
 TestIamPermissions 
 ( 
 request 
 ); 
  
 return 
  
 response 
 ; 
  
 } 
 }

Go

Before trying this sample, follow the Go setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Go API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "cloud.google.com/go/iam/apiv1/iampb" 
  
 "cloud.google.com/go/pubsub/v2" 
 ) 
 func 
  
 testPermissions 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 subID 
  
 string 
 ) 
  
 ([] 
 string 
 , 
  
 error 
 ) 
  
 { 
  
 // projectID := "my-project-id" 
  
 // subID := "my-sub" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 pubsub 
 . 
 NewClient 
 ( 
 ctx 
 , 
  
 projectID 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 nil 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "pubsub.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 req 
  
 := 
  
& iampb 
 . 
  TestIamPermissionsRequest 
 
 { 
  
 Resource 
 : 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/subscriptions/%s" 
 , 
  
 projectID 
 , 
  
 subID 
 ), 
  
 Permissions 
 : 
  
 [] 
 string 
 { 
  
 "pubsub.subscriptions.consume" 
 , 
  
 "pubsub.subscriptions.update" 
 , 
  
 }, 
  
 } 
  
 resp 
 , 
  
 err 
  
 := 
  
 client 
 . 
 SubscriptionAdminClient 
 . 
  TestIamPermissions 
 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 nil 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "error calling TestIamPermissions: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 for 
  
 _ 
 , 
  
 perm 
  
 := 
  
 range 
  
 resp 
 . 
 Permissions 
  
 { 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Allowed: %v\n" 
 , 
  
 perm 
 ) 
  
 } 
  
 return 
  
 resp 
 . 
 Permissions 
 , 
  
 nil 
 }

Java

Before trying this sample, follow the Java setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Java API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 com.google.cloud.pubsub.v1. SubscriptionAdminClient 
 
 ; 
 import 
  
 com.google.iam.v1. TestIamPermissionsRequest 
 
 ; 
 import 
  
 com.google.iam.v1. TestIamPermissionsResponse 
 
 ; 
 import 
  
 com.google.pubsub.v1. ProjectSubscriptionName 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.LinkedList 
 ; 
 import 
  
 java.util.List 
 ; 
 public 
  
 class 
 TestSubscriptionPermissionsExample 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 ... 
  
 args 
 ) 
  
 throws 
  
 Exception 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 subscriptionId 
  
 = 
  
 "your-subscription-id" 
 ; 
  
 testSubscriptionPermissionsExample 
 ( 
 projectId 
 , 
  
 subscriptionId 
 ); 
  
 } 
  
 public 
  
 static 
  
 void 
  
 testSubscriptionPermissionsExample 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 subscriptionId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 try 
  
 ( 
  SubscriptionAdminClient 
 
  
 subscriptionAdminClient 
  
 = 
  
  SubscriptionAdminClient 
 
 . 
 create 
 ()) 
  
 { 
  
  ProjectSubscriptionName 
 
  
 subscriptionName 
  
 = 
  
  ProjectSubscriptionName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 subscriptionId 
 ); 
  
 List<String> 
  
 permissions 
  
 = 
  
 new 
  
 LinkedList 
<> (); 
  
 permissions 
 . 
 add 
 ( 
 "pubsub.subscriptions.consume" 
 ); 
  
 permissions 
 . 
 add 
 ( 
 "pubsub.subscriptions.update" 
 ); 
  
  TestIamPermissionsRequest 
 
  
 testIamPermissionsRequest 
  
 = 
  
  TestIamPermissionsRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 subscriptionName 
 . 
  toString 
 
 ()) 
  
 . 
 addAllPermissions 
 ( 
 permissions 
 ) 
  
 . 
 build 
 (); 
  
  TestIamPermissionsResponse 
 
  
 testedPermissionsResponse 
  
 = 
  
 subscriptionAdminClient 
 . 
 testIamPermissions 
 ( 
 testIamPermissionsRequest 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Tested:\n" 
  
 + 
  
 testedPermissionsResponse 
 ); 
  
 } 
  
 } 
 }

PHP

Before trying this sample, follow the PHP setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub PHP API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  use Google\Cloud\PubSub\PubSubClient; 
 /** 
 * Prints the permissions of a subscription. 
 * 
 * @param string $projectId  The Google project ID. 
 * @param string $subscriptionName  The Pub/Sub subscription name. 
 */ 
 function test_subscription_permissions($projectId, $subscriptionName) 
 { 
 $pubsub = new PubSubClient([ 
 'projectId' => $projectId, 
 ]); 
 $subscription = $pubsub->subscription($subscriptionName); 
 $permissions = $subscription->iam()->testPermissions([ 
 'pubsub.subscriptions.consume', 
 'pubsub.subscriptions.update' 
 ]); 
 foreach ($permissions as $permission) { 
 printf('Permission: %s' . PHP_EOL, $permission); 
 } 
 }

Ruby

Before trying this sample, follow the Ruby setup instructions in the Pub/Sub quickstart using client libraries . For more information, see the Pub/Sub Ruby API reference documentation .

To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  # subscription_id = "your-subscription-id" 
 pubsub 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  PubSub 
 
 . 
  new 
 
 subscription_admin 
  
 = 
  
 pubsub 
 . 
  subscription_admin 
 
 permissions 
  
 = 
  
 [ 
 "pubsub.subscriptions.consume" 
 , 
  
 "pubsub.subscriptions.update" 
 ] 
 response 
  
 = 
  
 pubsub 
 . 
  iam 
 
 . 
 test_iam_permissions 
  
 \ 
  
 resource 
 : 
  
 pubsub 
 . 
 subscription_path 
 ( 
 subscription_id 
 ), 
  
 permissions 
 : 
  
 permissions 
 puts 
  
 "Permission to consume" 
  
 \ 
  
 if 
  
 response 
 . 
 permissions 
 . 
 include? 
  
 "pubsub.subscriptions.consume" 
 puts 
  
 "Permission to update" 
  
 \ 
  
 if 
  
 response 
 . 
 permissions 
 . 
 include? 
  
 "pubsub.subscriptions.update"

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .

Test permissions for subscription Stay organized with collections Save and categorize content based on your preferences.

Explore further

Code sample

C++

C#

Go

Java

PHP

Ruby

What's next

Test permissions for subscription