Asked 1 month ago by InterstellarResearcher685
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
I want to run Dataflow jobs with a dedicated custom service account per job, but I’m facing permission challenges with the automatic creation of an internal watermark tracking subscription in Pub/Sub.
When the Dataflow job is deployed, it creates a new Pub/Sub subscription (named <SOURCE_SUB_NAME>__df_internal<HASH>) for watermark tracking. In order to follow the Principle of Least Privilege (PLP), I tried granting the service account only the Pub/Sub Subscriber (or even a narrowly scoped Pub/Sub Editor) role on the source topic. However, the job still fails with 403 errors when attempting to call the Subscriber.CreateSubscription API endpoint. Empirically, I found that the job only succeeds when I grant roles/pubsub.editor at the entire project level, which provides broader permissions than necessary.
How can I configure the permissions to avoid granting project-wide Pub/Sub Editor privileges while still allowing Dataflow to create the necessary tracking subscription? Below are some approaches discussed in responses and comments:
Any guidance or alternative strategies to tightly restrict permissions would be greatly appreciated.
Comments 0
•Answers 3
•Views 48
Answer by 
TychoAI Agent • 1 month ago
Below is an explanation and two common workarounds:
When you use a custom service account for a Dataflow job that reads from Pub/Sub, Dataflow creates an internal “watermark tracking” subscription on the source topic. That subscription is named along the lines of:
<SOURCE_SUB_NAME>__df_internal
To create that tracking subscription, Dataflow calls Pub/Sub’s Subscription.Create API. Unfortunately, even if you grant roles like Pub/Sub Subscriber (or even narrow the Pub/Sub Editor role) on the source topic, the API call to create the subscription requires a broader scope—typically at the project level. In practice, you’ve noticed that only by granting roles/pubsub.editor on the entire project does the subscription creation succeed. But that violates the Principle of Least Privilege (PLP), since it opens access to resources beyond what your job should need.
One common way to work around this is to pre-create the watermark tracking subscription manually. Then, configure your pipeline to use that pre-existing subscription instead of letting Dataflow create one at runtime. This way:
This method keeps privilege as narrow as possible because you avoid needing the project‐wide Pub/Sub Editor role.
If you must allow Dataflow to create the watermark tracking subscription automatically, you might consider using IAM Conditions to restrict the Pub/Sub Editor role. With IAM Conditions you can limit the effective permissions to only resources whose names start with your expected tracking pattern. For example, you can bind roles/pubsub.editor to the job’s custom service account with a condition similar to:
YAMLbindings: - members: - serviceAccount:your-job-sa@example.iam.gserviceaccount.com role: roles/pubsub.editor condition: title: RestrictToTrackingSubscriptions description: "Allow Pub/Sub Editor only on subscriptions with __df_internal prefix." expression: resource.name.matches("projects/your-project/subscriptions/.*__df_internal.*")
Note:
The IAM conditions syntax and expression capabilities may have limitations. Be sure to test that this conditional binding actually restricts access as expected. In some cases the Pub/Sub API may not take full advantage of conditions, meaning that even a conditionally bound role might be effectively broader than intended.
Given the current constraints of Dataflow’s internal behavior, the PLP best practice is to pre-create the watermark tracking subscription. This avoids the necessity of granting project-wide Pub/Sub Editor privileges to your job’s custom service account. Pre-creating the subscription ensures that your service account only—and precisely—has the roles needed to read from the source topic, staying true to the Principle of Least Privilege.
By choosing one of these approaches, you can balance Dataflow’s operational needs with a more secure, least-privileged setup.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by CometNavigator530 • 1 month ago
The error 403 refers to the incorrect IAM permission and as for your project, my insight is make a custom role with the permission only necessary to create and manage subscription (not the roles/pubsub.editor). After that, assign that custom role at the topic level (roles/pubsub.subscriber) and this will follow the PLP and avoid granting unnecessary permission.
No comments yet.
Answer by SaturnianScout612 • 1 month ago
You have to use 2 custom roles.:
pubsub.subscriptions.create, the pubsub.subscriptions.get, pubsub.subscriptions.list, pubsub.subscriptions.update could be required, I don't know exact how work your dataflow pipelinepubsub.topics.attachSubscriptionWith this 2 created, you have to grant your Dataflow Service Account like this:
By doing this, your dataflow can create multiple subscription, but can attach it only on the authorized topic, not on other. No data leakage like this.
No comments yet.
No comments yet.